On Fri, Feb 20, 2015 at 09:29:14AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
auths/second. This one has peaked at nearly 90 auths/second. This is nice - it seems execing ntlm_auth really is the problem (this is Samba 3.6.6, all running on HP DL380G6, 2-CPU Xen VMs ~1Gb RAM [mostly unused]).
oh its running ntlm_auth thats the bottleneck for sure - as the server can do many x100's more PEAP when using users file, LDAP or SQL backends.
Yeah, of course - but the question really is, is it execing ntlm_auth that is the bottleneck, or is it the handling of the auth through winbind. It seems that, in our case at present anyway, winbind can cope just fine.
Add ntlm_auth helper mode to 3.0.x now, which should be safe and run on anything that has ntlm_auth. And will be, IMO, nearly as fast as calling libwbclient directly. This should fix the AD auth issues for anyone with FR3. (I'm happy to provide patches as-is for Samba and FR2 for any that want, but they're not going to be merged.)
Finish and submit patch to Samba, then add libwbclient mode either later on in 3.0.x or more likely to 3.1.x, due to the timescales of the Samba release.
i thought we were going for all approaches andway - libwbclient method, ntlm_auth helper mode etc etc.
That was my idea and code, but Alan and Arran suggested in the PR to not have too many choices. I'm inclined to agree that eventually just authenticating via libwbclient is probably the right way to go (though some people might want the option to exec, if they're doing something esoteric or not with Samba). The question for me is the transition period, and the fact people are having auth issues now.
I would just go for 3.0.x now anyway (I think Alan would say theres no choice, 2.x has no new features....) that MIGHT match the timescales for some distros anyway - and if there can be a run-time check for libwbclient thread-safe then it can use the feature.
It's a build test - essentially whether wbcCtxAuthenticateUserEx exists in the library or not. I guess it could be done at runtime, but that gets a bit messy. Recompiling FreeRADIUS is quick and easy. Recompiling Samba takes a significant amount of time and is IMO a much bigger task. Hence using a distribution version is easier.
the other small performance tweak is to get the privileged file off disk - use tmpfs/ramdisk for the file (particularly in VMs!!)
Can't see that moving the privilege socket to tmpfs is likely to help much - it's only a socket? However, moving winbind's netsamlogon cache to tmpfs may help - we really don't care about uid mapping for this functionality, and there is no point winbind performing IO for each auth to keep a record of the uid numbers. But I've not dug into that enough yet to see if anything can or ought to be done, only that the files in /var/cache/samba are being continuously updated with Samba 3.6. Cheers! Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>