mschap via ntlm_auth over a socket

Phil Mayers p.mayers at
Thu Dec 4 15:38:06 CET 2014

On 03/12/14 14:00, Matthew Newton wrote:

> Debian wheezy - winbind 3.6.6.
> lsof shows 5 connections to a single DC, as you say. But tcpdump
> shows essentially all connections coming from a single TCP source

> Also, winbind debug logs (-d4) show each request with "child
> daemon request 14" / "Finished processing child request 14", which

Both those imply to me that winbind isn't seeing the need to use a 
parallel connection, almost as if the *offered* load is being limited 
before hitting winbind pipe dispatch, as opposed to anything else.

Concurrency in winbind prior to the dispatch? Or before connecting to 
the pipe e.g. locking inside the .tdb files?

We're on pretty quick hardware that might be hiding some of these now.

> Thanks. Actually, on a quiet RADIUS server it looks like the
> normal request time is just over 1ms. I guess the question is if
> it goes up significantly for a busy server, which that would show.

For an MSCHAP auth RPC, round-trip, or ntlm_auth start-to-end?

For comparison, we see:

on-the-wire RTT for the RPCs
  * mean/median 4.1/3.9msec
  * stddev 2.8
  * 5-95%ile range 0.5-8.3msec

start-to-end ntlm_auth:
  * mean/median 16.4/12.2msec
  * stddev 21.9
  * 5-95%ile range 10.0-56.3msec

However, there's a very odd double-peak structure to the ntlm_auth times 
with a second, much smaller peak at around 50-60msec, which I don't know 
the cause of.

More information about the Freeradius-Devel mailing list