ntlm_auth improvements
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 20 12:44:14 CET 2015
On 20/02/15 01:00, Matthew Newton wrote:
> Hi,
>
> Just opening up for a bit of discussion on the best way to proceed
> with the ntlm_auth improvements I've been hacking around on.
>
> I've just been testing using libwbclient from FreeRADIUS. One
> RADIUS server has held up our entire wireless infrastructure for a
> couple of days, over all student movements between lectures,
> without a single complaint from the Cisco controllers about RADIUS
> timeouts.
>
> We normally hit problems when one RADIUS server gets to about 30
> auths/second. This one has peaked at nearly 90 auths/second. This
> is nice - it seems execing ntlm_auth really is the problem
That makes "sense" (for some values of sense...) based on our
experience. It's crazy that fork/exec of such a small binary, which is
bound to be in-cache, is so slow, but I'm assuming it's actually some
setup that ntlm_auth does.
> Add ntlm_auth helper mode to 3.0.x now, which should be safe and
> run on anything that has ntlm_auth. And will be, IMO, nearly as
> fast as calling libwbclient directly. This should fix the AD auth
This sounds good.
> issues for anyone with FR3. (I'm happy to provide patches as-is
> for Samba and FR2 for any that want, but they're not going to be
> merged.)
>
> Finish and submit patch to Samba, then add libwbclient mode either
> later on in 3.0.x or more likely to 3.1.x, due to the timescales
> of the Samba release.
Sounds good.
More information about the Freeradius-Devel
mailing list