Web lists-archives.com

[Samba] Multi-process Netlogon support




On Thu, 2017-02-16 at 14:47 +0100, mathias dufresne wrote:
> Hi all,
> 
> A small question about:
> Multi-process Netlogon support
> ------------------------------
> 
> The Netlogon server in the Samba AD DC can now run as multiple
> processes.  The Netlogon server is a part of the AD DC that handles
> NTLM authentication on behalf of domain members, including file
> servers, NTLM-authenticated web servers and 802.1x gateways.  The
> previous restriction to running as a single process has been removed,
> and it will now run in the same process model as the rest of the
> 'samba' binary.
> 
> Does this mean all Samba parts are now multi-process-able ? I tried
> months
> ago to authenticate users through Kerberos using a script ran on
> several
> client machines (using kinit) and at that moment even with several
> clients
> pushing auth requests to AD (always the very same DC as a target) was
> consuming only one CPU core. This behaviour is supposed to be changed
> too?

No, at this point the KDC is still a single task.  

> If yes, do we have to start samba with -M thread to get advantage of
> this?

No, but the NETLOGON server will follow whatever you specify in -M so
the default of 'standard' will make it fork one process per incoming
connection.  That is, no change is needed to obtain the advantage for
NETLOGON.

We realise that we need more of Samba than just the NETLOGON and SMB
servers to be multi-process, but neither is the standard (fork() per
connection) the right thing for one-packet tasks like krb5 or DNS.  It
is even a poor choice for LDAP, as the degenerate case of 'ldap
authentication' pays the full fork() cost for just a few packets of
work.

Therefore I plan to revive the prefork process model (worker
processes).  However this turned out to be more work than I expected,
so has been delayed, but Samba 4.7 should see some further improvements
in this area.

In the meantime my team at Catalyst will be developing a tool to
simulate network loads, and we will shortly be calling for volunteers
to run a trace tool on their networks to help us understand what a
real-world load looks like, so we can optimise for that.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba