few questions on winbindd-ntlm_auth interface

Andrew Bartlett abartlet at samba.org
Tue Jun 15 20:13:40 MDT 2010

On Tue, 2010-06-08 at 11:27 -0700, kiran kumar wrote:
> Few questions on winbindd architecture in Samba-ver: 3.4.4/source3.
> Our setup has a Squid-Proxy configured to do 'NTLM Authentication'
> using ntlm_auth and winbindd from Samba-3.4.4. Functionally this works
> but I'm concerned about its scalability. To be precise, how many
> instances of "ntlm_auth" should I launch in a setup of 1000 Users all
> belonging to single domain?

It depends not on the number of users, but on the number of concurrent

> >From what I could comprehend, Squid pins a instance of 'ntlm_auth'
> helper to one user authentication at a time. I think part of this
> limitation is due to 'winbindd' being capable of handling one request
> from a single helper at a time? Is this correct or Can winbindd handle
> new auth-requests from a helper before sending a reply to earlier
> requests?

I'm pretty sure that Winbind can do this all async now, but if not, then
only the authenticate packet needs to be blocking, not the full 3-leg
process.  That's why you can set up multiple ntlm_auth clients, and get
a useful benefit. 

> If my understanding is right then, to support 200 authentication
> sessions at a time, I may have to launch 200 instances of 'ntlm_auth'.
> I'm not sure if our system can support this many instances. Lets say
> we do it, internally winbindd spwans a child process to talk to
> domain-controller . Can winbindd main thread send multiple
> auth-requests to this winbind-child controller, without waiting for
> response?

It will just queue things up internally if it can't, so that's harmless.
Do you really have 200 concurrent authentications, or 200 concurrent
users?  Remember, the authentication only happens at the start of the
HTTP session (not per-request), as long as the pipelining works out. 

> I'm trying to understand which all modules I may have to change, to
> launch few "ntlm_auth" instances( say 10) but support 200 simultaneous
> authentication sessions. Please suggest if theres a way to meet this
> requirement.
> BTW, we are using Squid-version 3.0.Stable-19

Have you had problems, or are you just speculating?  It should just be a
matter of increasing the helper child count in the squid config.

Andrew Bartlett

More information about the samba-technical mailing list