ntlm_auth improvements

Matthew Newton mcn4 at leicester.ac.uk
Tue Feb 24 00:35:25 CET 2015


On Fri, Feb 20, 2015 at 11:44:14AM +0000, Phil Mayers wrote:
> On 20/02/15 01:00, Matthew Newton wrote:
> >We normally hit problems when one RADIUS server gets to about 30
> >auths/second. This one has peaked at nearly 90 auths/second. This
> >is nice - it seems execing ntlm_auth really is the problem
> 
> That makes "sense" (for some values of sense...) based on our
> experience. It's crazy that fork/exec of such a small binary, which
> is bound to be in-cache, is so slow, but I'm assuming it's actually
> some setup that ntlm_auth does.

If you crank the winbind log level up to 5 or so, you can see the
ntlm_auth calls - there are two setup calls (version + priv
socket) before the auth. I can't imagine these, plus opening two
sockets, takes that long, but it's still much more than just
sending the authentication query over an already open socket.


> >Add ntlm_auth helper mode to 3.0.x now, which should be safe and
> >run on anything that has ntlm_auth. And will be, IMO, nearly as
> >fast as calling libwbclient directly. This should fix the AD auth
> 
> This sounds good.
...
> >Finish and submit patch to Samba, then add libwbclient mode either
> >later on in 3.0.x or more likely to 3.1.x, due to the timescales
> >of the Samba release.
> 
> Sounds good.

Alan and/or Arran, any thoughts on merging this? I think the main
thing to sort out is probably the config syntax, unless there's
some other way you'd prefer it done?

FWIW, I finished the Samba patch over the weekend so they have
that for review. I'm expecting I've done something not quite
right, but hopefully it'll be mostly acceptable. Just not sure
what timescales Samba work to and whether it will be able to hit
4.2 or have to wait for 4.3, which I guess could be a while off.

Going forward, all the password-change stuff is in libwbclient as
well, so it looks like ntlm_auth could be ditched entirely, but
again needs the libwbclient Samba patch to be thread-safe.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Devel mailing list