can I let all winbindd processes accept connections like nginx does

Tom sambalearn at
Tue Dec 10 23:56:49 MST 2013

At 2013-12-11 06:00:37,"Volker Lendecke" <Volker.Lendecke at SerNet.DE> wrote:

>On Tue, Dec 10, 2013 at 08:04:18PM +0800, Tom wrote:
>> I want to do this because I'm doing NTLM authentication using winbindd and I found winbindd's performance doesn't meet my requirement.
>> I expect more than 1000 authentication transaction per second.
>You will probably have a hard time to find a domain
>controller to do that amount of load. We are working right
>now to distribute the load across multiple DCs, so this
>bottleneck should be removed at some point.
>We believe that with the current architecture we could
>scale, we believe the bottleneck is the DCs. Possibly we
>need some careful performance tuning though. For that we
>would need some powerful close to real world setup that we
>could test against and, the most scarce resource
>unfortunately, some time to do that work.

Hi Volker,
Really appreciate your help !

What I have done is, I write an asynchronous winbindd client sending WINBINDD_PAM_AUTH_CRAP to winbindd to do NTLM auth.
I also implement a domain socket connection pool in my client and keep long connections to winbindd, so I can do single-request-response on these connections.
I configure 20 winbindd processes(max domain connections).
I find the max number of NTLM authentications that winbindd can handle per second is about 300, on average 200.
I tunning my connection pool size from 500 connections to 1000 connections, but I find there is almost no difference.
The latency between winbindd and DC is small, DCERPC Request/Response takes 0.001ms(wireshark).
DC runs on WinServer 2008 and CPU(Intel Xeon E5645 2.4G) usage is 60% on average, 90% maximum,  memory is still 4GB available. 
In my scenario, since DC is not one hundred percent busy, DC seems not the bottleneck, winbindd is.

So, do you think I'm using winbindd in a right way?
Since you said DC is bottleneck, then in your experience, generally how many NTLM authentications that winbindd can handle per second, wthat's the expected performance?(seems 300/s is small....)
What's the best practice to do high performance NTLM authentication ?

Besides, I googled a lot and find a parameter MaxConcurrentApi which used by Windows to enlarge security channel,
but seems winbindd isn't affected by it?

Thanks a lot. :)


More information about the samba-technical mailing list