[Samba] optimizing and scaling ntlm_auth

Louis Munro lmunro at inverse.ca
Mon Sep 8 10:11:05 MDT 2014


I am using ntlm_auth called from FreeRADIUS to authenticate users on a network with their Active Directory credentials.
The problem I seem to be having is that ntlm_auth is taking longer than it should and I can't seem to get it to go faster reliably.

Some background information:

Users are connecting to a wireless network using 802.1x. 
That network sends requests to FreeRADIUS which forks an ntlm_auth process to authenticate users against AD.
ntlm_auth is called with the username and challenge contained in the radius request along with the nt-response and the domain, as in : 

ntlm_auth --username=$USERNAME --challenge=$CHALLENGE --nt-response=$NT-RESPONSE --domain=$DOMAIN 

An authentication is successful if ntlm_auth returns 0.

Since I had error messages in the logs pointing to requests timing out on ntlm_auth I wrote a short C wrapper around ntlm_auth to log the time it takes to return (as well as the username and domain).
That showed that while most (~90%) authentications succeed in less than 25ms, about 10% take longer than 100ms with some taking as much as a few seconds (2-4s).

So I increased winbind max domain connections on the (linux) server while also raising the MaxConcurrentApi on the DC.
I now see 39 connections open to the DC from winbind (that number fluctuates). 
And yet the problem remains. 

What's more, It seems winbind is only or mostly using one out of those 39 connections to the DC. 
When I trace the processes using strace, only the first child of winbind seems to be sending any request. 
All the others are idle. 

Can anyone shed some light on how winbind manages it's connections to the DC? 
Has anyone else encountered this problem? Any recommendations for scaling ntlm_auth? 

Here's my smb.conf file. The server is running RHEL 6.4 with winbind 3.6.9. 

workgroup = UUULOCAL      
server string = %h
interfaces =
security = ADS
passdb backend = tdbsam
realm = UUU.LOCAL     
encrypt passwords = yes
winbind use default domain = yes
client NTLMv2 auth = yes
preferred master = no
load printers = no
cups options = raw
winbind max clients = 750
winbind offline logon = false
winbind max domain connections = 50
password server = uuu-dc04.usd.local, uuu-dc05.usd.local, uuu-dc02.usd.local, uuu-dc03.usd.local, uuu-dc06.usd.local, *
log level = 1 winbind:5 auth:3

Best regards,
Louis Munro
lmunro at inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

More information about the samba mailing list