trying to correctly handle account passwords via ldap

Alan DeKok aland at
Tue Mar 28 23:36:26 GMT 2006

Andrew Bartlett <abartlet at> wrote:
> The --helper-protocol=ntlm-server-1 was designed to avoid the need to
> keep forking, and run a long-term conversation.  Unfortunately i think
> it has some memory leaks, but these could be addressed, if there is a
> suitable user.

  FreeRADIUS.  There are currently deployments with 10^5 users or more
using ntlm_auth, and forking for every request.  With modern hardware
it's not a serious problem, but it's one more thing to manage.

> The use of winbindd ensures that there is no wasted network traffic as
> multiple authentications occur.  The network setup cost for NETLOGON is
> far higher than the cost of a fork().
> Which cost are you trying to reduce?

  Ideally, administration.  When an authenticator needs access to AD,
the admin doesn't want to install and configure yet another program.
An ideal library API would be:

  authenticate(user, args, ...)

  So the authenticator program could control *all* of the information
needed to contact the AD server.  The authenticator could just treat
AD as another "oracle" back-end, where it passes user credentials, and
gets returned OK/FAIL.

  ntlm_auth supplies all of this from a functional perspective, but to
use it you have to configure the authenticator to use ntlm_auth, the
ntlm_auth command-line arguments, windbindd, maybe smbd & nmbd.
That's a lot of overhead to say "is this mschap stuff OK?"

  Alan DeKok.

More information about the samba-technical mailing list