ntlm_auth improvements

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 20 12:44:14 CET 2015

On 20/02/15 01:00, Matthew Newton wrote:
> Hi,
> Just opening up for a bit of discussion on the best way to proceed
> with the ntlm_auth improvements I've been hacking around on.
> I've just been testing using libwbclient from FreeRADIUS. One
> RADIUS server has held up our entire wireless infrastructure for a
> couple of days, over all student movements between lectures,
> without a single complaint from the Cisco controllers about RADIUS
> timeouts.
> We normally hit problems when one RADIUS server gets to about 30
> auths/second. This one has peaked at nearly 90 auths/second. This
> is nice - it seems execing ntlm_auth really is the problem

That makes "sense" (for some values of sense...) based on our 
experience. It's crazy that fork/exec of such a small binary, which is 
bound to be in-cache, is so slow, but I'm assuming it's actually some 
setup that ntlm_auth does.

> Add ntlm_auth helper mode to 3.0.x now, which should be safe and
> run on anything that has ntlm_auth. And will be, IMO, nearly as
> fast as calling libwbclient directly. This should fix the AD auth

This sounds good.

> issues for anyone with FR3. (I'm happy to provide patches as-is
> for Samba and FR2 for any that want, but they're not going to be
> merged.)
> Finish and submit patch to Samba, then add libwbclient mode either
> later on in 3.0.x or more likely to 3.1.x, due to the timescales
> of the Samba release.

Sounds good.

More information about the Freeradius-Devel mailing list