mschap via ntlm_auth over a socket

A.L.M.Buxey at A.L.M.Buxey at
Wed Dec 3 13:32:55 CET 2014


any performance improvements for ntlm_auth are welcome...especially a c. 25% increase

care to port to 2.2.x release? :-)

> We've done things like tweak "winbind max domain connections" and
> "winbind max clients", but can't seem to get winbind to connect to
> more than one DC, or seemingly parallelise anything in any way.

no. binbind in 3.x is dumb... the version with samba 4 has the ability to load balance
but , from what i've seen with CentOS7/RH7 releases is they havent enabled/allowed
that feature so you have to build from source - but there have been MANY bug and performance
fixes in 4.x for winbindd too

> Though reading archives it looks like we may have to use Samba 4
> for that (though I still don't understand the reason for the max
> connections option if it can't/won't do it; I must me missing
> something).

for 3.x we see that option working - you may have to check your windows server
to see how mnay connections it allows - as its limited by default at that end

> It seems ntlm_auth has a "--helper-protocol" option to enable it
> to start and then process requests over stdin/stdout. This should
> at least cut out the process exec time. So I've hacked around and
> updated the mschap module in a couple of ways to allow use of
> this.

another thought for performance is to not use disk for the TDB files - especially
the winbind_privileged pipe. 

> it would be good. I fear with the amount of change control (and/or
> paranoia) we have now, it's going to take me a while to get FR3
> near the wireless controllers :(

similar here - the jump to FR3 is a big move (we're using it for new systems 
for other purposes though! - hopefully this will gain us the uptime/knowledge
etc etc so smooth the transition for the wireless stuff

> domain. I'm getting these results. Note that the test (eapol_test)
> is run sequentially, so I'm artificially limiting the throughput
> there. All tests PEAP/EAP-MSCHAPv2 and FR threaded (not in debug
> mode).

tempting to run a parallel eapol_test flood :-)


More information about the Freeradius-Devel mailing list