Summary
-------

Applications making use of the libwbclient library for, e.g. authentication or password changes, may be threaded. libwbclient is not currently thread-safe, so data is corrupted spectacularly when multiple threads try to authenticate at the same time, often crashing the calling application.


Present use case / background
-----------------------------

A common installation for wireless networks is to use a combination of FreeRADIUS and Samba for MSCHAP authentication. The standard for many years has been to  call ntlm_auth to authenticate users and this configuration is used at a large number of sites.

In recent months, several universities in particular have noticed that authentications top out at around 30-40 per second, which is becoming limiting due to the large wireless device uptake. In trying to improve the efficiency of the authentication code I have been calling wbcAuthenticateUserEx directly - using the wbclient library seems far cleaner and is also slightly faster than using the helper mode of ntlm_auth which was the other method available.

However, as FreeRADIUS is threaded, this does not work without solving the libwbclient thread-safe problem. Putting a mutex around the calling code will stop the crashes, but then does not give the required performance increase.


Patches
-------

The following patches kindly accepted into master recently will apply cleanly to 4.2, and add additional functions to libwbclient that enable context to be passed, eliminating the global variables which were the cause of the problem:

* c6cb2d6 Update libwbclient version to 0.12
* 2664d90 Move wbc global variables into global context instead
* 063c56d Add context versions of wbclient functions
* 348f93f Add wbcContext to wbcRequestResponse
* bc75e72 Add wbcContext struct, create and free functions
* 83cfb84 Use global context for winbindd_request_response
* 60c7571 Make winbind client library thread-safe by adding context

There is no change to the existing API (only new functions are added).

The following patch also helps by stopping extra_data from being non-NULL and then erroneously free()'d. This can easily happen when multiple threads are calling the same function (though this is technically only an issue because libwbclient is not thread-safe at present, so should not be being used in that way).

* 764cfda Make sure response->extra_data.data is always cleared out


Sites with issues
-----------------

I do not believe that this issue currently affects anything inside Samba, and it looks quite likely that I may be the first to use the library from outside Samba. Therefore, from the project perspective, this may be a minor issue, though it would be really useful for the library to be thread safe for a growing number of sites with authentication problems. See, for example

http://lists.freeradius.org/pipermail/freeradius-users/2013-October/068580.html
http://lists.freeradius.org/pipermail/freeradius-users/2015-January/075435.html
http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html
http://lists.freeradius.org/pipermail/freeradius-users/2014-October/074517.html
http://lists.freeradius.org/pipermail/freeradius-devel/2015-February/010570.html
http://lists.freeradius.org/pipermail/freeradius-users/2014-December/075027.html

Thanks for taking the time to consider this!

Matthew