Re: Generating timing stats for ntlm_auth
On 14/10/13 16:01, Jonathan Gazeley wrote: On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: >Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to "yum install samba4" on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. I am wondering if using ntlm_auth in pipe mode, in the same way Squid does, would improve this, as it would avoid fork&exec. I might try and knock up a PoC patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote: >Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to "yum install samba4" on our production system;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context This morning I upgraded a couple of our radius servers from samba 3.6.9 to 4.0.0-rc4. It works, but it's not yet clear how much of an improvement it makes. Early indication is that it helps spread the load more evenly between domain controllers at peak times, but it is by no means the magic bullet. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 15:01, a.l.m.bu...@lboro.ac.uk wrote: Hi, Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. Cisco wireless problem? theres go to be something messing us up here as we are using the same FreeRADIUS as last year (2.2.0), seeing the same number of concurrent clients as at the end of the last academic year (around 8k) and we didnt have this number of those errors then alan - Can confirm that we at Bristol (Cisco wireless, MS AD auth backend) are also seeing load problems at peak times (every hour, at lecture change-over time when approximately one billion iPhones start roaming the campus). We're also not seeing as much session resumption as we'd expect. We're also seeing the same messages as reported in this thread. Will be watching this thread with interest - happy to test patches etc. Cheers, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 17:16, Brian Julin wrote: You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. That's in inventive one, but I'm not *that* desperate yet! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
Phil wrote: > I could wrap ntlm_auth in a script that times it and lots the info, but > I'm slightly wary of that - it might perturb the timings. > > Any obvious/easy thing I'm missing? You might be able to run FR under gdb (or attach/resume a running FR), and set breakpoints with commands that resume after running the GDB commands. Google "gdb breakpoint commands" Note sure how that would impact the overall timing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
> it can also BE an AD master etc. anyway, you dont know how tempting it > was to "yum install samba4" on our production system ;-) Indeed. That's exactly what I'm using it for. :-) > I'd certainly like to see some samba3.x versus samba4 benchmarks in > this sort of context Yes, versus Windows 2008 R2 or 2012 as well... just for good measure. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, > Samba 4 is lurvely... apparently 100% compatible with existing AD > installations, although, as always, it's a bit finicky and info is a bit thin > on the ground (and I've not written up a guide when I set my test environment > up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on > RHEL/CentOS as a package. it can also BE an AD master etc. anyway, you dont know how tempting it was to "yum install samba4" on our production system ;-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, > Any chance you can point me in the direction of these? heres one: http://support.microsoft.com/kb/2688798 > Semi-related, but to my annoyance we're seeing rather less SSL > resumption than I would expect, given that iOS and Android both do > it by default. Cisco wireless problem? theres go to be something messing us up here as we are using the same FreeRADIUS as last year (2.2.0), seeing the same number of concurrent clients as at the end of the last academic year (around 8k) and we didnt have this number of those errors then alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
> authentications (as microsoft call it) - but I'm also looking at > samba4 - as it has a new option that will balance ntlm_auth against all > known boxes rather than the first box it latches onto - to spread the > load. Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
On 10/10/13 12:56, a.l.m.bu...@lboro.ac.uk wrote: Hi, Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became unblocked for request 47516341 ...since the return of our students this year. I am 99% sure this is ntlm_auth being slow, and I have a strong suspicion this is related to some changes in our AD infrastructure over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' Any chance you can point me in the direction of these? authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Hmm. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... Interesting - which ones? (we're also thinking about EAP-TLS again ;-) ) Semi-related, but to my annoyance we're seeing rather less SSL resumption than I would expect, given that iOS and Android both do it by default. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Phil Mayers wrote: > In order to prove this to the AD team, I need to gather some timing > stats for ntlm_auth; can anyone think of an easy way to do this within > FreeRADIUS? I had patches for this a while ago. But they won't apply to the current code. The idea was to update the modsingle struct to have an "elapsed" entry/array. Then, call_modsingle() calls gettimeofday() before and after the call to the module. It takes the elapsed time, and updates the modsingle struct. After a few more hooks, you can get at the stats via radmin. > Any obvious/easy thing I'm missing? Nope. Instrumentation is hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating timing stats for ntlm_auth
Hi, > Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became > unblocked for request 47516341 > > ...since the return of our students this year. > > I am 99% sure this is ntlm_auth being slow, and I have a strong > suspicion this is related to some changes in our AD infrastructure > over the summer. I've contacted our AD guys about a couple of tweaks they can do for 'legacy' authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. I'm also now getting suspicious about a couple of tuesday patches that got deployed over summer... (we're also thinking about EAP-TLS again ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html