Samba PDC as a password server

Luke Kenneth Casson Leighton lkcl at regent.push.net
Thu Apr 30 13:01:55 GMT 1998


> This brings up another question/problem.  I assume this setup would use
> PAM_NTDOM somehow, right?

uh... dunno.  

> Has anyone tried it with a really large passwd file?  I'm extremely cautious
> of PAM right now.

i'm cc'ing your message to the pam list, because this issue has just been
raised there: your experiences, dana, will be useful feedback, and i am
sure that someone on the pam list will let you (us) know if any
performance improvements in pam_pwdb (or other) have been made.

>  When I first
> installed Linux on our systems, I didn't notice that PAM authentication with
> pam_pwdb took well over a second
> to validate a user (our password file is over 2000 users). This may not seem
> like long, but we service about 50-80
> POP3 connections per minute.  As you can guess, the system bogged down to a
> halt within about 15 minutes.
> Switching to pam_unix_* more or less fixed the problem, but it's still not
> as fast as a POP server compiled without
> PAM support.  (I'm certainly open to the possibility that this might be a
> configuration error, but RedHat had no
> suggestions, either.)  My concern is that if PAM_NTDOM isn't lightning-fast,

do you consider 12-15 packet exchanges totalling about 10k of network
traffic just to verify one user to be "lightning fast", regardless of the
system it is implemented on (samba or NT)?

because this is what happens.  the LsaSamLogon response alone can be
anything between 500 and 800 bytes, and the rest of the traffic is just to
establish "common ground" etc.



More information about the samba-ntdom mailing list