I have a linux machine setup to authenticate users using Active Directory with samba/winbind.
Apache is then setup to use that to authenticate the users. This is done using:
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
</IfModule>
But page requests taking less than 1 second without auth now takes > 6 seconds. Looking at the log in /var/log/samba/log.winbindd does not show any errors but each page load seem to require a lot of of authentication requests. Basically there seem to be one authentication per resource loaded, for example for each css file.
In /etc/samba/smb.conf I have tried to play with some settings such as winbind cache time = 300 and winbind offline logon = yes. I also tried to change the idmap backend from tdb to ad.
During the page load the cpu usage of winbindd gets very high, ~50-60% while no other process seem to go over 10-20%.
Have I misssed some config that could speed this up, or are there better approaches to this problem (like using something other than mod_authnz_external)?
I still didn't find how to improve the performance when using mod_authnz_external. However changing to another apache module mod_authnz_ldap got rid of the performance problem. The only downside then is that the ldap configuration is duplicated for the system and for apache.
In a similar setup using Ubuntu 18.04 as client and Samba 4.7.8 as a server one authentication with pwauth takes around 200 ms, which is unacceptable for SVN operations because a simple repository listing uses quite a lot of requests.
Loading authn_socache as an authentication cache (example includes authnz_external and authz_unixgroup) with the following settings results in an improved performance:
AuthExternalProvideCache On is important, otherwise authnz_external will not cache logins.