Summary ------- Applications making use of the libwbclient library for, e.g. authentication or password changes, may be threaded. libwbclient is not currently thread-safe, so data is corrupted spectacularly when multiple threads try to authenticate at the same time, often crashing the calling application. Present use case / background ----------------------------- A common installation for wireless networks is to use a combination of FreeRADIUS and Samba for MSCHAP authentication. The standard for many years has been to call ntlm_auth to authenticate users and this configuration is used at a large number of sites. In recent months, several universities in particular have noticed that authentications top out at around 30-40 per second, which is becoming limiting due to the large wireless device uptake. In trying to improve the efficiency of the authentication code I have been calling wbcAuthenticateUserEx directly - using the wbclient library seems far cleaner and is also slightly faster than using the helper mode of ntlm_auth which was the other method available. However, as FreeRADIUS is threaded, this does not work without solving the libwbclient thread-safe problem. Putting a mutex around the calling code will stop the crashes, but then does not give the required performance increase. Patches ------- The following patches kindly accepted into master recently will apply cleanly to 4.2, and add additional functions to libwbclient that enable context to be passed, eliminating the global variables which were the cause of the problem: * c6cb2d6 Update libwbclient version to 0.12 * 2664d90 Move wbc global variables into global context instead * 063c56d Add context versions of wbclient functions * 348f93f Add wbcContext to wbcRequestResponse * bc75e72 Add wbcContext struct, create and free functions * 83cfb84 Use global context for winbindd_request_response * 60c7571 Make winbind client library thread-safe by adding context There is no change to the existing API (only new functions are added). The following patch also helps by stopping extra_data from being non-NULL and then erroneously free()'d. This can easily happen when multiple threads are calling the same function (though this is technically only an issue because libwbclient is not thread-safe at present, so should not be being used in that way). * 764cfda Make sure response->extra_data.data is always cleared out Sites with issues ----------------- I do not believe that this issue currently affects anything inside Samba, and it looks quite likely that I may be the first to use the library from outside Samba. Therefore, from the project perspective, this may be a minor issue, though it would be really useful for the library to be thread safe for a growing number of sites with authentication problems. See, for example http://lists.freeradius.org/pipermail/freeradius-users/2013-October/068580.html http://lists.freeradius.org/pipermail/freeradius-users/2015-January/075435.html http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html http://lists.freeradius.org/pipermail/freeradius-users/2014-October/074517.html http://lists.freeradius.org/pipermail/freeradius-devel/2015-February/010570.html http://lists.freeradius.org/pipermail/freeradius-users/2014-December/075027.html Thanks for taking the time to consider this! Matthew
Created attachment 10862 [details] git-am backport from master.
Re-assigning to Karolin for inclusion in 4.2.next.
Pushed to autobuild-v4-2-test.
Created attachment 10875 [details] always initialise winbind context correctly Small fix-up that I missed in the first set of patches. This won't affect internal Samba code which always has NULL context at present, but when called with non-null context the wb_ctx pointer doesn't get initialised correctly.
Comment on attachment 10875 [details] always initialise winbind context correctly LGTM.
Karolin, please push the additional patch to 4.2.next. Thanks ! Jeremy.
(In reply to Jeremy Allison from comment #6) Pushed additional patch to autobuild-v4-2-test.
(In reply to Karolin Seeger from comment #7) Pushed to v4-2-test. Closing out bug report. Thanks!