ntlm_auth improvements

Matthew Newton mcn4 at leicester.ac.uk
Fri Feb 20 11:50:53 CET 2015

On Fri, Feb 20, 2015 at 09:29:14AM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> > auths/second. This one has peaked at nearly 90 auths/second. This
> > is nice - it seems execing ntlm_auth really is the problem (this
> > is Samba 3.6.6, all running on HP DL380G6, 2-CPU Xen VMs ~1Gb RAM
> > [mostly unused]).
> oh its running ntlm_auth thats the bottleneck for sure - as the server
> can do many x100's more PEAP when using users file, LDAP or SQL backends.

Yeah, of course - but the question really is, is it execing
ntlm_auth that is the bottleneck, or is it the handling of the
auth through winbind.

It seems that, in our case at present anyway, winbind can cope
just fine.

> > Add ntlm_auth helper mode to 3.0.x now, which should be safe and
> > run on anything that has ntlm_auth. And will be, IMO, nearly as
> > fast as calling libwbclient directly. This should fix the AD auth
> > issues for anyone with FR3. (I'm happy to provide patches as-is
> > for Samba and FR2 for any that want, but they're not going to be
> > merged.)
> > 
> > Finish and submit patch to Samba, then add libwbclient mode either
> > later on in 3.0.x or more likely to 3.1.x, due to the timescales
> > of the Samba release.
> i thought we were going for all approaches andway - libwbclient method,
> ntlm_auth helper mode etc etc.

That was my idea and code, but Alan and Arran suggested in the PR
to not have too many choices.

I'm inclined to agree that eventually just authenticating via
libwbclient is probably the right way to go (though some people
might want the option to exec, if they're doing something esoteric
or not with Samba). The question for me is the transition
period, and the fact people are having auth issues now.

>                                I would just go for 3.0.x now anyway
> (I think Alan would say theres no choice, 2.x has no new features....)
> that MIGHT match the timescales for some distros anyway - and if there
> can be a run-time check for libwbclient thread-safe then it can use the
> feature.

It's a build test - essentially whether wbcCtxAuthenticateUserEx
exists in the library or not. I guess it could be done at runtime,
but that gets a bit messy.

Recompiling FreeRADIUS is quick and easy. Recompiling Samba takes
a significant amount of time and is IMO a much bigger task. Hence
using a distribution version is easier.

> the other small performance tweak is to get the privileged file off disk - use 
> tmpfs/ramdisk for the file (particularly in VMs!!)

Can't see that moving the privilege socket to tmpfs is likely to
help much - it's only a socket?

However, moving winbind's netsamlogon cache to tmpfs may help - we
really don't care about uid mapping for this functionality, and
there is no point winbind performing IO for each auth to keep a
record of the uid numbers. But I've not dug into that enough yet
to see if anything can or ought to be done, only that the files in
/var/cache/samba are being continuously updated with Samba 3.6.



Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Devel mailing list