Performance Problems ntlm_auth <-> Active Directory under heavy load

Matthew Newton mcn4 at leicester.ac.uk
Thu Mar 19 12:22:59 CET 2015


On Thu, Mar 19, 2015 at 09:27:12AM +0000, tom greisch wrote:
> Yesterday i have compiled Freeradius 2.2.6 and configured for
> ntlm_auth against an Active Directory. Everything seems ok.
> After testing i have redirected our WLAN Controller (with
> thousands of Clients) to the new Radius Server and the Server
> was overloaded immediately. 

We have thousands of clients - but that's not the issue; its the
number of authentications per second that you need to watch.
Current limit is more than around 30 auths/second and you'll
probably hit issues.


> So i activated the Logging for Samba an i got this:
> ----------------------------------------------------
> [2015/03/18 16:59:50.848834,  0] ../source3/lib/util.c:896(log_stack_trace)
> BACKTRACE: 21 stack frames:
> #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f60a79bb2ca]
...
> smb_panic(): action returned status 0
> [2015/03/18 16:59:50.860457,  0] ../source3/lib/dumpcore.c:317(dump_core)
> dumping core in /var/log/samba/cores/winbindd---------------------------------------------------------------------------------
> 
> 
> At this Point its clear, that it is not a Freeradius Problem. Its a Samba Problem!

No, the usual case is a FreeRADIUS problem. At least, in the way
people authenticate against Samba, not in the FreeRADIUS code
itself.

Looks to me like you may have hit a different bug in winbind.  Try
running ntlm_auth from the command line and see if it gives the
same problem.


> I am lucky because i found a BUG Report at the Samba Site released onyl few Days ago 
> (2015-03-10). The Problem persists for more than one Year.
> The BUG is: https://bugzilla.samba.org/show_bug.cgi?id=11149

That is my bug report. It has nothing to do with the ntlm_auth
binary.


> The Bug Report says that you have to start Freeradius with the
> "-t" Option to disable Threads because Samba 4.1.X is not able
> to handle threads. So we have to hope that samba 4.2 will fix
> the Problem.

No, it doesn't say that, and you shouldn't do that. It will kill
performance. Use ntlm_auth if you can't use the new patches (which
aren't released yet anyway).


> Until that, i decided to clone the Radius Server twice , start
> with "-t" Flag and set a "Freeradius Loadbalancer" bevor the
> "Worker Radius Server". Now i can handle the Load !

If you can run three separate FreeRADIUS instances in non-threaded
mode, you should easily be able to run one in threaded mode with
ntlm_auth.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list