samba - Sep 2017 - Advice on Winbindd and NTLM Auth Performance

Hi Rowland,

The only thing I'm using is winbindd the smbd and nmbd daemons are disabled.

However I have now found the bottleneck is because freeradius is calling
the ntlm_auth binary and effectively forking out.

The guys at freeradius wrote a direct client libwbclient however their is
no way of specifying the winbind privileged path using that method as it's
hardcoded during compile time.

Why does samba hardcode this on all client applications is beyond my little
knowledge :(

Many Thanks
Arnab

On 3 Sep 2017 12:48 pm, "Rowland Penny via samba" <samba at
lists.samba.org>
wrote:
> On Fri, 1 Sep 2017 23:30:53 +0100
> Arnab Roy <arniekol at gmail.com> wrote:
>
> > Hello Everyone,
> >
> > Thanks for your inputs I have followed whats here
> > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> > Apart from the different location for the directories. I have added
> > the recommended options in samba.
>
> That howto seems to have been dated even when it was written and you
> haven't added all the 'recommended options'.
> The howto tells you to add these lines:
>
>  idmap uid = 16777216-33554431
>  idmap gid = 16777216-33554431
>
> These were marked as deprecated on 3.6 and you should be using lines
> like these:
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config SAMDOM : backend = rid
>     idmap config SAMDOM : range = 10000-999999
>
> Without these lines, winbind doesn't know who your users & groups
are.
>
> Or are you using sssd ?
> If so, then Samba isn't doing authentication.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Sun, 2017-09-03 at 22:34 +0100, Arnab Roy via samba
wrote:
> Hi Rowland,
> 
> The only thing I'm using is winbindd the smbd and nmbd daemons are
> disabled.
> 
> However I have now found the bottleneck is because freeradius is
> calling
> the ntlm_auth binary and effectively forking out.
> 
> The guys at freeradius wrote a direct client libwbclient however
> their is
> no way of specifying the winbind privileged path using that method as
> it's
> hardcoded during compile time.
> 
> Why does samba hardcode this on all client applications is beyond my
> little
> knowledge :(
The libwbclient library is used in a privileged context (su, via
pam_winbind) so we can't safely runtime configure it.  If you want a
different path, specify it at build time.

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Yes sure somehow my mail client switched from a reply all.

On 3 Sep 2017 23:54, "Andrew Bartlett" <abartlet at samba.org>
wrote:

On Sun, 2017-09-03 at 23:22 +0100, Arnab Roy wrote:

Hi Andrew,


G'Day,

Please keep replies on the list so others can also be part of the
conversation.

Andrew Bartlett
-- 

Andrew Bartletthttps://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba

Anyone on how to get libwbclient some kind of runtime parameter from smb
conf?


On 3 Sep 2017 23:22, "Arnab Roy" <arniekol at gmail.com> wrote:
>
>
> Wouldn't it be nice if the end user had a choice . Why would it be
unsafe
> considering all the info is in smb.conf and it just needs to read like all
> other samba processes like smbd or nmbd?
>
> The problem I have got here is that my radius needs to talk to multiple
> disjoint ad domains hence runs multiple winbind instances.
>
> Any chance you can point me to the code where the socket lookup happens in
> libwbclient? May be i just need to create a local patch.
>
> Thanks for your input thus far.
>
> Arnab
>
> On 3 Sep 2017 11:06 pm, "Andrew Bartlett" <abartlet at
samba.org> wrote:
>
>> On Sun, 2017-09-03 at 22:34 +0100, Arnab Roy via samba wrote:
>> > Hi Rowland,
>> >
>> > The only thing I'm using is winbindd the smbd and nmbd daemons
are
>> > disabled.
>> >
>> > However I have now found the bottleneck is because freeradius is
>> > calling
>> > the ntlm_auth binary and effectively forking out.
>> >
>> > The guys at freeradius wrote a direct client libwbclient however
>> > their is
>> > no way of specifying the winbind privileged path using that method
as
>> > it's
>> > hardcoded during compile time.
>> >
>> > Why does samba hardcode this on all client applications is beyond
my
>> > little
>> > knowledge :(
>>
>> The libwbclient library is used in a privileged context (su, via
>> pam_winbind) so we can't safely runtime configure it.  If you want
a
>> different path, specify it at build time.
>>
>> Andrew Bartlett
>> --
>> Andrew Bartlett
>> https://samba.org/~abartlet/
>> Authentication Developer, Samba Team         https://samba.org
>> Samba Development and Support, Catalyst IT
>> https://catalyst.net.nz/services/samba
>>
>>
>>
>>
>>

Hi ,

I have not yet received the reason why libwbclient doesn't honour the paths
mentioned in the smb.conf file.

This is making my current deployment scenario unusable.

Can some one look at the source and post some comments on this ?

Many Thanks
Arnab

On 4 Sep 2017 9:34 pm, "Arnab Roy" <arniekol at gmail.com>
wrote:
> Anyone on how to get libwbclient some kind of runtime parameter from smb
> conf?
>
>
> On 3 Sep 2017 23:22, "Arnab Roy" <arniekol at gmail.com>
wrote:
>
>>
>>
>> Wouldn't it be nice if the end user had a choice . Why would it be
unsafe
>> considering all the info is in smb.conf and it just needs to read like
all
>> other samba processes like smbd or nmbd?
>>
>> The problem I have got here is that my radius needs to talk to multiple
>> disjoint ad domains hence runs multiple winbind instances.
>>
>> Any chance you can point me to the code where the socket lookup happens
>> in libwbclient? May be i just need to create a local patch.
>>
>> Thanks for your input thus far.
>>
>> Arnab
>>
>> On 3 Sep 2017 11:06 pm, "Andrew Bartlett" <abartlet at
samba.org> wrote:
>>
>>> On Sun, 2017-09-03 at 22:34 +0100, Arnab Roy via samba wrote:
>>> > Hi Rowland,
>>> >
>>> > The only thing I'm using is winbindd the smbd and nmbd
daemons are
>>> > disabled.
>>> >
>>> > However I have now found the bottleneck is because freeradius
is
>>> > calling
>>> > the ntlm_auth binary and effectively forking out.
>>> >
>>> > The guys at freeradius wrote a direct client libwbclient
however
>>> > their is
>>> > no way of specifying the winbind privileged path using that
method as
>>> > it's
>>> > hardcoded during compile time.
>>> >
>>> > Why does samba hardcode this on all client applications is
beyond my
>>> > little
>>> > knowledge :(
>>>
>>> The libwbclient library is used in a privileged context (su, via
>>> pam_winbind) so we can't safely runtime configure it.  If you
want a
>>> different path, specify it at build time.
>>>
>>> Andrew Bartlett
>>> --
>>> Andrew Bartlett
>>> https://samba.org/~abartlet/
>>> Authentication Developer, Samba Team         https://samba.org
>>> Samba Development and Support, Catalyst IT
>>> https://catalyst.net.nz/services/samba
>>>
>>>
>>>
>>>
>>>