[Samba] Multi-process Netlogon support

mathias dufresne infractory at gmail.com
Thu Feb 23 09:38:14 UTC 2017 

Hi Andrew,

Thank you for this detailed answer. Sorry to not have replied earlier, I
just missed that mail.

Cheers,

mathias

2017-02-16 19:06 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:

> On Thu, 2017-02-16 at 14:47 +0100, mathias dufresne wrote:
> > Hi all,
> >
> > A small question about:
> > Multi-process Netlogon support
> > ------------------------------
> >
> > The Netlogon server in the Samba AD DC can now run as multiple
> > processes.  The Netlogon server is a part of the AD DC that handles
> > NTLM authentication on behalf of domain members, including file
> > servers, NTLM-authenticated web servers and 802.1x gateways.  The
> > previous restriction to running as a single process has been removed,
> > and it will now run in the same process model as the rest of the
> > 'samba' binary.
> >
> > Does this mean all Samba parts are now multi-process-able ? I tried
> > months
> > ago to authenticate users through Kerberos using a script ran on
> > several
> > client machines (using kinit) and at that moment even with several
> > clients
> > pushing auth requests to AD (always the very same DC as a target) was
> > consuming only one CPU core. This behaviour is supposed to be changed
> > too?
>
> No, at this point the KDC is still a single task.
>
> > If yes, do we have to start samba with -M thread to get advantage of
> > this?
>
> No, but the NETLOGON server will follow whatever you specify in -M so
> the default of 'standard' will make it fork one process per incoming
> connection.  That is, no change is needed to obtain the advantage for
> NETLOGON.
>
> We realise that we need more of Samba than just the NETLOGON and SMB
> servers to be multi-process, but neither is the standard (fork() per
> connection) the right thing for one-packet tasks like krb5 or DNS.  It
> is even a poor choice for LDAP, as the degenerate case of 'ldap
> authentication' pays the full fork() cost for just a few packets of
> work.
>
> Therefore I plan to revive the prefork process model (worker
> processes).  However this turned out to be more work than I expected,
> so has been delayed, but Samba 4.7 should see some further improvements
> in this area.
>
> In the meantime my team at Catalyst will be developing a tool to
> simulate network loads, and we will shortly be calling for volunteers
> to run a trace tool on their networks to help us understand what a
> real-world load looks like, so we can optimise for that.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>

More information about the samba mailing list