[36064] in Kerberos
Re: krb5kdc pausing while kdb5_util dumps database
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Carlos_M=C3=A1s?=)
Fri Apr 25 09:53:29 2014
MIME-Version: 1.0
In-Reply-To: <1398418747.5790.399.camel@ion.is.ed.ac.uk>
From: =?UTF-8?Q?Carlos_M=C3=A1s?= <charliplus@gmail.com>
Date: Fri, 25 Apr 2014 09:52:47 -0400
Message-ID: <CA+Qd5AQPfX9BdjB-nv10EP2+HeUxnK+FYt2Cs3qEYXfLz2xmCA@mail.gmail.com>
To: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I have experienced this issue before in a similar manner (we do a regular
dump of a very large Kerberos database, and the Kerberos process would stop
serving requests while this dump was happening).
We solved this problem by completely disabling account lockout and access
tracking, i.e.:
[dbmodules]
db2 = {
database_name = [...]
disable_last_success = true
disable_lockout = true
}
While the details are not fresh in my mind right now (and I could be
completely mistaken, or your issue could be different), the root cause was
around a locking issue - the dump process locks the database and it would
clash with the Kerberos process trying to write to the database updating
the records needed for account lockout.
On Fri, Apr 25, 2014 at 5:39 AM, Kenneth MacDonald <
Kenneth.MacDonald@ed.ac.uk> wrote:
> We have a (large?) principal database that takes forty seconds to dump
> with kdb5_util. While this is going on krb5kdc stops responding to
> authentication and ticket requests. It happily continues once the dump
> is complete.
>
> We are running MIT krb5 1.12.1 on Scientific Linux 6.
>
> Incremental propagation is turned on, account lockout policy is in
> place, and last successful authentication is not written.
>
> We see the same pause whenever a full resync is made, e.g. after a
> policy change. This is not surprising as kadmind spawns a kdb5_util
> dump for this.
>
> Is this behaviour of krb5kdc to be expected or might we have something
> incorrect in our configuration?
>
> Cheers,
>
> Kenny.
>
>
>
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
