post-auth for proxied peap inner
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 28 17:18:22 CET 2013
On 28/10/13 14:31, Alan DeKok wrote:
>
> The load of fork / exec shouldn't be a problem.
Unfortunately we ran out of time debugging this properly and just threw
hardware at the problem, and it has resolved the issue.
Annoyingly, it was expedient to roll out the new hardware with our
existing 2.x.x config, which means I need to go back to the start of my
3.x migration :o(
I plan to go back and reproduce on the old server once I have time and
definitely identify whether it was an internal winbind concurrency
issue, fork/exec load or something else - it's possible we were just
loading the old boxes too hard, and the new hardware is a *lot* quicker.
>
> Perhaps a better solution would be to run ntlm_auth in "pipe" mode.
> That would remove the fork/exec issue, and perhaps allow for greater
> concurrency.
There's some evidence Samba 3.6 is better in this regard too - for one
thing, you can set "winbind max domain connections" and have >1 DC MSRPC
pipe.
More information about the Freeradius-Devel
mailing list