The current winbind implementation use only one connection for auth. here is some irc log, from #samba-technical channel: 01/15/09 18:35:39 <zmarci> hi all 01/15/09 18:38:41 <zmarci> i read the manual, howtos, and lot of ms bullshit, but i can't understand how can i tuning winbind auth performance, i created a litle test script with ntlm_auth helper, and testing in ADS environment and always get 170-190 auth request/sec 01/15/09 18:39:25 <zmarci> i tried 1, 2,8,16 parallel "thread", but the result is same, always 170-190 auth request/sec, no more 01/15/09 18:39:37 <vl> zmarci: You would need to provide a sniff of this, so that we can see if it's the client or the DC who is limiting speed 01/15/09 18:40:31 <zmarci> the "clients" (the test script) running on the samba server, the dc is in same ethernet lan with samba server 01/15/09 18:40:39 <zmarci> ping delay less 0.2ms 01/15/09 18:40:45 <vl> zmarci: I know what you mean. 01/15/09 18:40:53 <vl> zmarci: We'd need sniffs. 01/15/09 18:41:09 <vl> zmarci: It's highly likely that the DC is the bottleneck. 01/15/09 18:42:11 <zmarci> i found one interesting registry key in the windows server ... maxconcurrentapi 01/15/09 18:42:42 <vl> zmarci: do you have a kb number for that? 01/15/09 18:42:54 <zmarci> when i change the default value (0) to 5 the winbind connected more thread to dc 01/15/09 18:43:07 <vl> huh? 01/15/09 18:43:17 <zmarci> vl, sorry but i dont understand bottleneck ... ;) 01/15/09 18:43:39 <vl> By bottleneck I mean the component that limits the performance 01/15/09 18:43:47 <zmarci> ok, thx 01/15/09 18:44:22 <zmarci> with the default maxcon... winbind connect with 2 connections to dc 01/15/09 18:44:40 <zmarci> after the change connects with 5 connections 01/15/09 18:44:46 <zmarci> (to the 445 port) 01/15/09 18:44:48 <vl> No, I doubt that. 01/15/09 18:45:09 <vl> how can a parameter on the server influence winbind behaviour? 01/15/09 18:45:26 <vl> winbind for auth purposes only ever makes one connection. 01/15/09 18:45:41 <vl> We could expand that, but nobody has done it so far. 01/15/09 18:46:10 <zmarci> how? 01/15/09 18:46:37 <vl> Well, just modify the winbind source code to open more than one connection. 01/15/09 18:46:48 <bmarshmn> _just_ ;) 01/15/09 18:47:12 <vl> bmarshmn: Shouldn't be too hard, really. Just fork two domain children. 01/15/09 18:47:46 <vl> The scheduler in the parent would have to be modified, but that's doable as well. 01/15/09 18:48:11 <vl> nevertheless, I'm off for 1-2 hours 01/15/09 18:48:13 <vl> cu later
in the enterprise environment need more effective auth subsystem performance, please do it :)
possible enhancement for 3.5 then.
Too late for enhancements in 3.5. Raising version.
Fixed in 3.6 with "winbind max domain connections".