The current winbind implementation use only one connection for auth.
here is some irc log, from #samba-technical channel:
01/15/09 18:35:39 <zmarci> hi all
01/15/09 18:38:41 <zmarci> i read the manual, howtos, and lot of ms bullshit, but i can't understand how can i tuning winbind auth performance, i created a litle test script with ntlm_auth helper, and testing in ADS environment and always get 170-190 auth request/sec
01/15/09 18:39:25 <zmarci> i tried 1, 2,8,16 parallel "thread", but the result is same, always 170-190 auth request/sec, no more
01/15/09 18:39:37 <vl> zmarci: You would need to provide a sniff of this, so that we can see if it's the client or the DC who is limiting speed
01/15/09 18:40:31 <zmarci> the "clients" (the test script) running on the samba server, the dc is in same ethernet lan with samba server
01/15/09 18:40:39 <zmarci> ping delay less 0.2ms
01/15/09 18:40:45 <vl> zmarci: I know what you mean.
01/15/09 18:40:53 <vl> zmarci: We'd need sniffs.
01/15/09 18:41:09 <vl> zmarci: It's highly likely that the DC is the bottleneck.
01/15/09 18:42:11 <zmarci> i found one interesting registry key in the windows server ... maxconcurrentapi
01/15/09 18:42:42 <vl> zmarci: do you have a kb number for that?
01/15/09 18:42:54 <zmarci> when i change the default value (0) to 5 the winbind connected more thread to dc
01/15/09 18:43:07 <vl> huh?
01/15/09 18:43:17 <zmarci> vl, sorry but i dont understand bottleneck ... ;)
01/15/09 18:43:39 <vl> By bottleneck I mean the component that limits the performance
01/15/09 18:43:47 <zmarci> ok, thx
01/15/09 18:44:22 <zmarci> with the default maxcon... winbind connect with 2 connections to dc
01/15/09 18:44:40 <zmarci> after the change connects with 5 connections
01/15/09 18:44:46 <zmarci> (to the 445 port)
01/15/09 18:44:48 <vl> No, I doubt that.
01/15/09 18:45:09 <vl> how can a parameter on the server influence winbind behaviour?
01/15/09 18:45:26 <vl> winbind for auth purposes only ever makes one connection.
01/15/09 18:45:41 <vl> We could expand that, but nobody has done it so far.
01/15/09 18:46:10 <zmarci> how?
01/15/09 18:46:37 <vl> Well, just modify the winbind source code to open more than one connection.
01/15/09 18:46:48 <bmarshmn> _just_ ;)
01/15/09 18:47:12 <vl> bmarshmn: Shouldn't be too hard, really. Just fork two domain children.
01/15/09 18:47:46 <vl> The scheduler in the parent would have to be modified, but that's doable as well.
01/15/09 18:48:11 <vl> nevertheless, I'm off for 1-2 hours
01/15/09 18:48:13 <vl> cu later
in the enterprise environment need more effective auth subsystem performance, please do it :)
possible enhancement for 3.5 then.
Too late for enhancements in 3.5. Raising version.
Fixed in 3.6 with "winbind max domain connections".