<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    You have to be using Samba 3.6+ or higher.<br>
    <br>
    - JohnD<br>
    <br>
    <div class="moz-cite-prefix">On 10/02/2014 08:12 PM, Rando Nakarmi
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAG+85v_EJiq7k2jbTHY1RQ8CZsdbSkNgi6y5F+vEmWxi8u5TcQ@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div dir="ltr">when I set <span class="im">winbind max domain
          connections = 12</span><br>
        <br>
        I get following message <br>
        <br>
        Ignoring unknown parameter "winbind max domain connections"<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Oct 2, 2014 at 4:56 PM, John
          Douglass <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:john.douglass@oit.gatech.edu" target="_blank">john.douglass@oit.gatech.edu</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"><span class=""> <br>
                <div>On 10/02/2014 12:35 PM, Rando Nakarmi wrote:<br>
                </div>
                <blockquote type="cite">
                  <div dir="ltr">Hello John,
                    <div><br>
                    </div>
                    <div>Thanks</div>
                    <div><br>
                    </div>
                    <div>you increased max_request = 16384 (so you have
                      only 64 clients ?)</div>
                  </div>
                </blockquote>
                <br>
              </span> That was a cut/paste from Phil Huxley who
              responded to my question. I'm still figuring out how to
              optimize. I can say that the max domain connections helped
              A LOT. However, the faster you churn, the more you might
              hit the Cisco WLC bug. We've seen _less_ but we've added
              radius servers and moved some controllers to their own
              radius server pairs. I hate adding radius servers as I
              feel it masks the real problem and it doesn't solve peak
              (change of classes) issues.<span class=""><br>
                <br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div>you set winbind max domain connections = 12
                      (how do I know which value is right ) (we have
                      around 300 clients (WAPs)</div>
                  </div>
                </blockquote>
              </span> It's really mainly about handling peak
              connections. With 300 WAPs you probably won't go that
              high. I have about 500 aps/controller but we have 30k
              users online at once spread across maybe 20 controllers
              with multiple controllers on each radius server.<br>
              <br>
              Actually I increased winbind max domain connections to
              128. The way I kind of felt that out was to (on the
              linux/unix server)<br>
              <br>
              lsof | grep winbind | grep TCP<br>
              <br>
              You can see the number of TCP connections to the AD
              server. We were hitting or initial limit of 50 during peak
              times. I just increased it to a high enough number so that
              I probably won't reach it. The number of connections goes
              up and down. On a radius failover we might be generating a
              lot of connections but they eventually close and die off.<span
                class=""><br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div><br>
                    </div>
                    <div>so I set the max_request= 300*256 (I use 256
                      the value which is in the radious.conf file)</div>
                    <div><br>
                    </div>
                    <div>winbind max clients = 1200 ( has anybody used
                      this parameter ? is this mean how many winbind
                      client can connect to AD ?<br>
                    </div>
                  </div>
                </blockquote>
                <br>
              </span> I'm actually not 100% sure on that stat/setting.
              :) I don't think I really care about it enough. No really
              sure how to determine this one. The documentation isn't
              really pointing out what that means (on <a
                moz-do-not-send="true" href="http://samba.org"
                target="_blank">samba.org</a>)
              <div>
                <div class="h5"><br>
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div><br>
                      </div>
                      <div>--cheers</div>
                      <div>Rando</div>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Thu, Oct 2, 2014 at
                        3:27 PM, John Douglass <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:john.douglass@oit.gatech.edu"
                            target="_blank">john.douglass@oit.gatech.edu</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000"> :)
                            Rando,<br>
                            <br>
                            There has been much discussion on this list
                            about that problem. IF you are using Cisco
                            WLC, there is a flaw in the way radius is
                            processed which could lead to these log
                            messages. Here is the previous set of
                            threads that have some pointers as to what
                            to look at.<br>
                            <br>
                            Cisco WLCs use the same source port and the
                            8-bit ID that is used to track radius
                            conversations during peak times, gets cycled
                            so fast that it creates duplicates where
                            there really shouldn't be. We are pushing
                            Cisco hard to fix this flaw in their design
                            especially since they are creating
                            controllers with more and more capacity. The
                            problem is only going to get worse.<br>
                            <br>
                            I highly suggest you move to radius 2.2.5
                            and enable the ntlm_auth timeout and upgrade
                            your samba to 3.6 where you can add some
                            additional parameters. Here are some hints
                            that Phil Huxley shared with us that have
                            been helpful in making our services better.
                            The issues haven't been handled 100%, and
                            there are other things to consider like if
                            using a Cisco WLC, enabling client
                            exclusion, etc, etc but I don't have a ton
                            of info on that as I just run the radius
                            servers.<br>
                            <br>
                            <a moz-do-not-send="true"
href="http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html"
                              target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html</a><br>
                            <br>
                            - John Douglass @ Georgia Tech<br>
                            <br>
                            PS: I really need to write up a blog post
                            about this :) <br>
                            PSS: Yes we know AD is slow and it sucks as
                            a backend but for a lot of us, it's what we
                            have to deal with :)
                            <div>
                              <div><br>
                                <br>
                                <br>
                                <div>On 10/02/2014 11:10 AM, Rando
                                  Nakarmi wrote:<br>
                                </div>
                              </div>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <div>
                                  <div dir="ltr">
                                    <div>I been seeing quite a large
                                      number of message like below
                                      logged in radius.log lately.</div>
                                    <div><br>
                                    </div>
                                    Discarding duplicate request from
                                    client classroom98 port 32880 - ID:
                                    131 due to unfinished request 241848<br>
                                    <div><br>
                                    </div>
                                    <div>I read some thread, this might
                                      be the case when back-end server
                                      (i.e auth servers) are too slow to
                                      respond. </div>
                                    <div><br>
                                    </div>
                                    <div>My back-end is AD, using
                                      ntlm_auth. </div>
                                    <div>radius version 2.1.12-4</div>
                                    <div>samba version 3.5.8-68</div>
                                    <div><br>
                                    </div>
                                    <div>Any hints or suggestion how to
                                      resolve this would be very
                                      helpful.</div>
                                    <div><br>
                                    </div>
                                    <div>Most of the users get
                                      authenticated ( I don't think
                                      ntlm_auth is responding slow), I
                                      could not figure this out</div>
                                    <div><br>
                                    </div>
                                    <div>--cheers,</div>
                                    <div>Rando</div>
                                  </div>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                </div>
                              </div>
                              <span>
                                <pre>-
List info/subscribe/unsubscribe? See <a moz-do-not-send="true" href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></pre>
                              </span></blockquote>
                            <br>
                          </div>
                          <br>
                          -<br>
                          List info/subscribe/unsubscribe? See <a
                            moz-do-not-send="true"
                            href="http://www.freeradius.org/list/users.html"
                            target="_blank">http://www.freeradius.org/list/users.html</a><br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>-
List info/subscribe/unsubscribe? See <a moz-do-not-send="true" href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></pre>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
            <br>
            -<br>
            List info/subscribe/unsubscribe? See <a
              moz-do-not-send="true"
              href="http://www.freeradius.org/list/users.html"
              target="_blank">http://www.freeradius.org/list/users.html</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">-
List info/subscribe/unsubscribe? See <a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></pre>
    </blockquote>
    <br>
  </body>
</html>