<div dir="ltr"><div><div>Thanks John and all.<br><br></div>Just a one question though. I installed new freeradius server (all testing purpose) with new samba 3.6.9. I did not have to start smb -nmb daemon. just started winbind and it all worked. This probably normal?<br></div><div><br></div>in my production environment, i have samba, winbind and nmb is running where lower version of samba is installed.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 3, 2014 at 1:53 PM, John Douglass <span dir="ltr"><<a href="mailto:john.douglass@oit.gatech.edu" target="_blank">john.douglass@oit.gatech.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
You have to be using Samba 3.6+ or higher.<br>
<br>
- JohnD<div><div class="h5"><br>
<br>
<div>On 10/02/2014 08:12 PM, Rando Nakarmi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">when I set <span>winbind max domain
connections = 12</span><br>
<br>
I get following message <br>
<br>
Ignoring unknown parameter "winbind max domain connections"<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 2, 2014 at 4:56 PM, John
Douglass <span dir="ltr"><<a href="mailto:john.douglass@oit.gatech.edu" target="_blank">john.douglass@oit.gatech.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span> <br>
<div>On 10/02/2014 12:35 PM, Rando Nakarmi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello John,
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>you increased max_request = 16384 (so you have
only 64 clients ?)</div>
</div>
</blockquote>
<br>
</span> That was a cut/paste from Phil Huxley who
responded to my question. I'm still figuring out how to
optimize. I can say that the max domain connections helped
A LOT. However, the faster you churn, the more you might
hit the Cisco WLC bug. We've seen _less_ but we've added
radius servers and moved some controllers to their own
radius server pairs. I hate adding radius servers as I
feel it masks the real problem and it doesn't solve peak
(change of classes) issues.<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>you set winbind max domain connections = 12
(how do I know which value is right ) (we have
around 300 clients (WAPs)</div>
</div>
</blockquote>
</span> It's really mainly about handling peak
connections. With 300 WAPs you probably won't go that
high. I have about 500 aps/controller but we have 30k
users online at once spread across maybe 20 controllers
with multiple controllers on each radius server.<br>
<br>
Actually I increased winbind max domain connections to
128. The way I kind of felt that out was to (on the
linux/unix server)<br>
<br>
lsof | grep winbind | grep TCP<br>
<br>
You can see the number of TCP connections to the AD
server. We were hitting or initial limit of 50 during peak
times. I just increased it to a high enough number so that
I probably won't reach it. The number of connections goes
up and down. On a radius failover we might be generating a
lot of connections but they eventually close and die off.<span><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>so I set the max_request= 300*256 (I use 256
the value which is in the radious.conf file)</div>
<div><br>
</div>
<div>winbind max clients = 1200 ( has anybody used
this parameter ? is this mean how many winbind
client can connect to AD ?<br>
</div>
</div>
</blockquote>
<br>
</span> I'm actually not 100% sure on that stat/setting.
:) I don't think I really care about it enough. No really
sure how to determine this one. The documentation isn't
really pointing out what that means (on <a href="http://samba.org" target="_blank">samba.org</a>)
<div>
<div><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>--cheers</div>
<div>Rando</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 2, 2014 at
3:27 PM, John Douglass <span dir="ltr"><<a href="mailto:john.douglass@oit.gatech.edu" target="_blank">john.douglass@oit.gatech.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> :)
Rando,<br>
<br>
There has been much discussion on this list
about that problem. IF you are using Cisco
WLC, there is a flaw in the way radius is
processed which could lead to these log
messages. Here is the previous set of
threads that have some pointers as to what
to look at.<br>
<br>
Cisco WLCs use the same source port and the
8-bit ID that is used to track radius
conversations during peak times, gets cycled
so fast that it creates duplicates where
there really shouldn't be. We are pushing
Cisco hard to fix this flaw in their design
especially since they are creating
controllers with more and more capacity. The
problem is only going to get worse.<br>
<br>
I highly suggest you move to radius 2.2.5
and enable the ntlm_auth timeout and upgrade
your samba to 3.6 where you can add some
additional parameters. Here are some hints
that Phil Huxley shared with us that have
been helpful in making our services better.
The issues haven't been handled 100%, and
there are other things to consider like if
using a Cisco WLC, enabling client
exclusion, etc, etc but I don't have a ton
of info on that as I just run the radius
servers.<br>
<br>
<a href="http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html" target="_blank">http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html</a><br>
<br>
- John Douglass @ Georgia Tech<br>
<br>
PS: I really need to write up a blog post
about this :) <br>
PSS: Yes we know AD is slow and it sucks as
a backend but for a lot of us, it's what we
have to deal with :)
<div>
<div><br>
<br>
<br>
<div>On 10/02/2014 11:10 AM, Rando
Nakarmi wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>I been seeing quite a large
number of message like below
logged in radius.log lately.</div>
<div><br>
</div>
Discarding duplicate request from
client classroom98 port 32880 - ID:
131 due to unfinished request 241848<br>
<div><br>
</div>
<div>I read some thread, this might
be the case when back-end server
(i.e auth servers) are too slow to
respond. </div>
<div><br>
</div>
<div>My back-end is AD, using
ntlm_auth. </div>
<div>radius version 2.1.12-4</div>
<div>samba version 3.5.8-68</div>
<div><br>
</div>
<div>Any hints or suggestion how to
resolve this would be very
helpful.</div>
<div><br>
</div>
<div>Most of the users get
authenticated ( I don't think
ntlm_auth is responding slow), I
could not figure this out</div>
<div><br>
</div>
<div>--cheers,</div>
<div>Rando</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span>
<pre>-
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></pre>
</span></blockquote>
<br>
</div>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>-
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>-
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></pre>
</blockquote>
<br>
</div></div></div>
<br>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br></div>