2

I have a linux machine setup to authenticate users using Active Directory with samba/winbind.

Apache is then setup to use that to authenticate the users. This is done using:

<IfModule mod_authnz_external.c>
    AddExternalAuth pwauth /usr/sbin/pwauth
    SetExternalAuthMethod pwauth pipe
</IfModule>

But page requests taking less than 1 second without auth now takes > 6 seconds. Looking at the log in /var/log/samba/log.winbindd does not show any errors but each page load seem to require a lot of of authentication requests. Basically there seem to be one authentication per resource loaded, for example for each css file.

In /etc/samba/smb.conf I have tried to play with some settings such as winbind cache time = 300 and winbind offline logon = yes. I also tried to change the idmap backend from tdb to ad.

During the page load the cpu usage of winbindd gets very high, ~50-60% while no other process seem to go over 10-20%.

Have I misssed some config that could speed this up, or are there better approaches to this problem (like using something other than mod_authnz_external)?

Zitrax
  • 784
  • 2
  • 11
  • 21

2 Answers2

3

I still didn't find how to improve the performance when using mod_authnz_external. However changing to another apache module mod_authnz_ldap got rid of the performance problem. The only downside then is that the ldap configuration is duplicated for the system and for apache.

Zitrax
  • 784
  • 2
  • 11
  • 21
0

In a similar setup using Ubuntu 18.04 as client and Samba 4.7.8 as a server one authentication with pwauth takes around 200 ms, which is unacceptable for SVN operations because a simple repository listing uses quite a lot of requests.

Loading authn_socache as an authentication cache (example includes authnz_external and authz_unixgroup) with the following settings results in an improved performance:

<Location /svn>
     DAV svn
     SVNParentPath /var/local/svn/
     SVNListParentPath on
     AuthType Basic
     AuthName "private area"
     AuthBasicProvider socache external
     AuthExternal pwauth
     AuthExternalProvideCache on
     AuthnCacheProvideFor external
     AuthnCacheTimeout 300
     Require unix-group svngroup
</Location>

AuthExternalProvideCache On is important, otherwise authnz_external will not cache logins.

Robert James
  • 48
  • 1
  • 6