can I let all winbindd processes accept connections like nginx does

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Dec 12 04:15:15 MST 2013

On Thu, Dec 12, 2013 at 10:08:31AM +0800, Tom wrote:
> What I have done is, I write an asynchronous winbindd client sending WINBINDD_PAM_AUTH_CRAP to winbindd to do NTLM auth.
> I also implement a domain socket connection pool in my client and keep long connections to winbindd, so I can do single-request-response on these connections.

Ok, great. The protocol does not allow multiplexing

> I configure 20 winbindd processes(max domain connections).
> I find the max number of NTLM authentications that winbindd can handle per second is about 300, on average 200.
> I tunning my connection pool size from 500 connections to 1000 connections, but I find there is almost no difference.
> The latency between winbindd and DC is small, DCERPC Request/Response takes 0.001ms(wireshark).
> DC runs on WinServer 2008 and CPU(Intel Xeon E5645 2.4G) usage is 60% on average, 90% maximum,  memory is still 4GB available. 
> In my scenario, since DC is not one hundred percent busy, DC seems not the bottleneck, winbindd is.
> So, do you think I'm using winbindd in a right way?

Yes, this sounds very correct :-)

> Since you said DC is bottleneck, then in your experience,
> generally how many NTLM authentications that winbindd can
> handle per second, wthat's the expected performance?(seems
> 300/s is small....)

I tried to express that I *suspect* the DC to be the

> and 
> What's the best practice to do high performance NTLM authentication ?

Do exactly what you do and try to find the bottlenecks.

So, where next? We need to find out what limits you. Classic
performance tuning means a lot of measurements. Plain "top"
and "strace -ttT" are the start for me. Does the parent
winbind max out the CPU for example? Does it properly use
epool and not poll? How busy are the child winbind processes
wrt syscalls and CPU as shown in top? Can you try running
perf on those individual processes that turn out to be a

These are the questions that come to my mind directly when I
was to dig into this problem on the box itself.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list