post-auth for proxied peap inner

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 28 17:18:22 CET 2013


On 28/10/13 14:31, Alan DeKok wrote:
>
>    The load of fork / exec shouldn't be a problem.

Unfortunately we ran out of time debugging this properly and just threw 
hardware at the problem, and it has resolved the issue.

Annoyingly, it was expedient to roll out the new hardware with our 
existing 2.x.x config, which means I need to go back to the start of my 
3.x migration :o(

I plan to go back and reproduce on the old server once I have time and 
definitely identify whether it was an internal winbind concurrency 
issue, fork/exec load or something else - it's possible we were just 
loading the old boxes too hard, and the new hardware is a *lot* quicker.

>
>    Perhaps a better solution would be to run ntlm_auth in "pipe" mode.
> That would remove the fork/exec issue, and perhaps allow for greater
> concurrency.

There's some evidence Samba 3.6 is better in this regard too - for one 
thing, you can set "winbind max domain connections" and have >1 DC MSRPC 
pipe.


More information about the Freeradius-Devel mailing list