Running ntlm_auth as a connection pool

Alan DeKok aland at
Mon Sep 4 00:22:12 CEST 2017

On Sep 3, 2017, at 5:22 PM, Arnab Roy <arnabroy at> wrote:
>   So I took things apart today. I switched to using direct winbind on a
>   test machine ...what a difference in performance you can't even compare
>   the two method's performance.

  That's to be expected.

>   To check where such high cost of performance comes from I replaced ntlm
>   auth with a simple shell script which just echoed back the NT key and
>   another one directly calling the NTLM_AUTH and the results where same.
>   So it seems like the cost of calling an external binary from inside the
>   server is extremely high.

  It's always expensive to create sub-processes.  Especially if the server is trying to do 1000's of authentications per second.

>   So I went back to the friendly folks at samba and they kindly pointed
>   me to the section of the code responsible for obtaining the winbindd
>   path. I managed to recompile ntlm_auth and it works but it's pointless.


>   The file in question in samba is under nsswitch/wb_common.c
>   My question is does freeradius use the same code as samba for the
>   client side communication.

  FreeRADIUS uses the Samba libraries to talk to winbindd.  If you recompile the Samba libraries, the server will use them.

> Can it be tweaked and compiled to behave
>   similarly that would solve my problems for now.

  Just have it use the recompiled Samba libraries.

  Alan DeKok.

More information about the Freeradius-Users mailing list