[23736] in Kerberos
Problems with kadmind
daemon@ATHENA.MIT.EDU (Mike Friedman)
Tue Apr 19 14:26:03 2005
Date: Tue, 19 Apr 2005 11:23:44 -0700 (PDT)
From: Mike Friedman <mikef@ack.berkeley.edu>
To: kerberos@mit.edu
Message-ID: <Pine.GSO.4.58.0504191107380.9696@ack.Berkeley.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: kerberos-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We're running a krb5-1.3.4 KDC on a Solaris 8 Ultra-10 box with 384Mb of
real memory. Our database has about 280K principals (it's about 250Mb in
size). Lately, we've been seeing problems with kadmin responses, in
particular timing out on long requests (e.g., listprincs *) and sometimes
even upon initial kadmin connection.
Are there any known issues with 1.3.4 kadmind and memory? I notice that
when I have a kadmin/kadmind session in progress, kadmind will show
(according to 'top') resident memory usage at over 100M, which I guess
might put a strain on a 384Mb RAM machine. But I also wonder if the (ever
growing) size of our database might be exacerbating this problem.
Suspecting a possible memory leak, I've restarted kadmind, but the problem
returns right away, though it is always intermittent and may be a function
of the load (authentication transactions).
Any ideas? Would increasing real memory on the machine solve this
problem?
I should mention that for years I've been carrying a mod that increases
the RPC timeout value from 25 seconds to 180 seconds. This has always been
necessary to allow a listprincs, given the size of our db. When I issued
a listprincs on the KDC itself (as root), using kadmin.local, I didn't get
a timeout (of course), but it took a long time (over 3 minutes,
presumably) and while it was running, the KDC logs showed an absence of
normal authentication activity, which was then taken up by the slave KDC.
So, this is not just an RPC timeout issue, but one (I think) having to do
with kadmind performance.
Since this problem appears to have started only recently, I suspect that
the size of the database is what's triggered it. But I'm also wondering if
something else is afoot.
Any ideas or suggestions appreciated.
Thanks.
Mike
_____________________________________________________________________
Mike Friedman System and Network Security
mikef@ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
_____________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBQmVMt60bf1iNr4mCEQKUYQCgp+oNloqxm5lqkrxzlLQeWzOnx4AAoNZR
iP4q5YFLc9drC+YsWpD0MNne
=FgBN
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos