mschap via ntlm_auth over a socket
Phil Mayers
p.mayers at imperial.ac.uk
Thu Dec 4 15:38:06 CET 2014
On 03/12/14 14:00, Matthew Newton wrote:
> Debian wheezy - winbind 3.6.6.
>
> lsof shows 5 connections to a single DC, as you say. But tcpdump
> shows essentially all connections coming from a single TCP source
> Also, winbind debug logs (-d4) show each request with "child
> daemon request 14" / "Finished processing child request 14", which
Both those imply to me that winbind isn't seeing the need to use a
parallel connection, almost as if the *offered* load is being limited
before hitting winbind pipe dispatch, as opposed to anything else.
Concurrency in winbind prior to the dispatch? Or before connecting to
the pipe e.g. locking inside the .tdb files?
We're on pretty quick hardware that might be hiding some of these now.
> Thanks. Actually, on a quiet RADIUS server it looks like the
> normal request time is just over 1ms. I guess the question is if
> it goes up significantly for a busy server, which that would show.
For an MSCHAP auth RPC, round-trip, or ntlm_auth start-to-end?
For comparison, we see:
on-the-wire RTT for the RPCs
* mean/median 4.1/3.9msec
* stddev 2.8
* 5-95%ile range 0.5-8.3msec
start-to-end ntlm_auth:
* mean/median 16.4/12.2msec
* stddev 21.9
* 5-95%ile range 10.0-56.3msec
However, there's a very odd double-peak structure to the ntlm_auth times
with a second, much smaller peak at around 50-60msec, which I don't know
the cause of.
More information about the Freeradius-Devel
mailing list