samba - Apr 2005 - Multiple Samba installations on one Solaris 8 machine

Hi!

We use the Winbind part of Samba 3 for authenticating users coming
from the Squid Caching Server via NTLM with an NT4 domain. We have
seven Squid instances and one Winbind instance running on a Sun Fire
V480 with 4 cpu?s.

We have some performance problems with approx. 10.000 User
simultaniously users surfing the web and we think Winbind is the
problem. While using the transparent authentication sometimes an
inputbox comes up and asks the user to authenticate instead of doing
this transparent.

Is there any possibility to install Samba/Winbind more than one time
to spread the load on Winbind? What about the computer account needed
with the NT4 domain? Can all installed Samba instances use one
computer account for authenticating themselves to the NT4 domain?

Thanks for helping.

Thomas

On Wed, 2005-04-06 at 11:22 +0200, Thomas Mainzer wrote:
> Hi!
> 
> We use the Winbind part of Samba 3 for authenticating users coming
> from the Squid Caching Server via NTLM with an NT4 domain. We have
> seven Squid instances and one Winbind instance running on a Sun Fire
> V480 with 4 cpu?s.
> 
> We have some performance problems with approx. 10.000 User
> simultaniously users surfing the web and we think Winbind is the
> problem. While using the transparent authentication sometimes an
> inputbox comes up and asks the user to authenticate instead of doing
> this transparent.
Have you traced to see if the error is Samba failing, or simply the link
between Squid and the windows client failing?
> Is there any possibility to install Samba/Winbind more than one time
> to spread the load on Winbind? What about the computer account needed
> with the NT4 domain? Can all installed Samba instances use one
> computer account for authenticating themselves to the NT4 domain?
It is not really possible to setup multiple copies of winbind on a
single machine, aside from a chroot(), because of the socket in /tmp.

However, winbind can be made better - I looked into the idea of having
multiple outstanding requests to the NT DC, using Samba4 as a research
tool.  This does not seem possible at this point, but we do need to keep
looking at it.  Perhaps this is why microsoft demands that their NTLM
proxy server be a BDC... (or so I understand).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050410/49fbe9d4/attachment.bin

Hello Andrew,

On Apr 10, 2005 9:50 AM, Andrew Bartlett <abartlet@samba.org>
wrote:
> On Wed, 2005-04-06 at 11:22 +0200, Thomas Mainzer wrote:
> > Hi!
> >
> > We use the Winbind part of Samba 3 for authenticating users coming
> > from the Squid Caching Server via NTLM with an NT4 domain. We have
> > seven Squid instances and one Winbind instance running on a Sun Fire
> > V480 with 4 cpu?s.
> >
> > We have some performance problems with approx. 10.000 User
> > simultaniously users surfing the web and we think Winbind is the
> > problem. While using the transparent authentication sometimes an
> > inputbox comes up and asks the user to authenticate instead of doing
> > this transparent.
> 
> Have you traced to see if the error is Samba failing, or simply the link
> between Squid and the windows client failing?
> 
We tried Samba 2 before. When such an event occured the helpers were
crashing very rapidly and Squid used to terminate abnormally and
started again.
> > Is there any possibility to install Samba/Winbind more than one time
> > to spread the load on Winbind? What about the computer account needed
> > with the NT4 domain? Can all installed Samba instances use one
> > computer account for authenticating themselves to the NT4 domain?
> 
> It is not really possible to setup multiple copies of winbind on a
> single machine, aside from a chroot(), because of the socket in /tmp.
> 
> However, winbind can be made better - I looked into the idea of having
> multiple outstanding requests to the NT DC, using Samba4 as a research
> tool.  This does not seem possible at this point, but we do need to keep
> looking at it.  Perhaps this is why microsoft demands that their NTLM
> proxy server be a BDC... (or so I understand).
What about the computer account that is needed for each Samba
installation? Is it possible to use one single computer account for
multiple Samba instances? Is it possible, that all Samba installations
share one "secrets.tdb"? We made multiple installations of winbind
possible after compiling a unique socket path in every instance.
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Student Network Administrator, Hawker College  http://hawkerc.net
> 
> 
> 
Thanks in advance

Thomas


----------------------------------
An Apple a day keeps Windows away!