[36065] in Kerberos
Re: krb5kdc pausing while kdb5_util dumps database
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Fri Apr 25 10:05:43 2014
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: Carlos =?ISO-8859-1?Q?M=E1s?= <charliplus@gmail.com>
In-Reply-To: <CA+Qd5AQPfX9BdjB-nv10EP2+HeUxnK+FYt2Cs3qEYXfLz2xmCA@mail.gmail.com>
Date: Fri, 25 Apr 2014 15:05:28 +0100
Message-ID: <1398434728.5790.416.camel@ion.is.ed.ac.uk>
Mime-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Fri, 2014-04-25 at 09:52 -0400, Carlos Más wrote:
> I have experienced this issue before in a similar manner (we do a
> regular dump of a very large Kerberos database, and the Kerberos
> process would stop serving requests while this dump was happening).
>
>
> We solved this problem by completely disabling account lockout and
> access tracking, i.e.:
>
>
> [dbmodules]
> db2 = {
> database_name = [...]
> disable_last_success = true
> disable_lockout = true
> }
Unfortunately we need to keep account lockout turned on.
>
> While the details are not fresh in my mind right now (and I could be
> completely mistaken, or your issue could be different), the root cause
> was around a locking issue - the dump process locks the database and
> it would clash with the Kerberos process trying to write to the
> database updating the records needed for account lockout.
Yes, I'm seeing in our logs successful authentications for a few seconds
during the dump until the first failure locks it until the dump
completes.
Thinking aloud ... I wonder how difficult it would be to have krb5kdc
optionally stop recording failures while the database is locked.
Cheers,
Kenny.
> On Fri, Apr 25, 2014 at 5:39 AM, Kenneth MacDonald
> <Kenneth.MacDonald@ed.ac.uk> wrote:
> We have a (large?) principal database that takes forty seconds
> to dump
> with kdb5_util. While this is going on krb5kdc stops
> responding to
> authentication and ticket requests. It happily continues once
> the dump
> is complete.
>
> We are running MIT krb5 1.12.1 on Scientific Linux 6.
>
> Incremental propagation is turned on, account lockout policy
> is in
> place, and last successful authentication is not written.
>
> We see the same pause whenever a full resync is made, e.g.
> after a
> policy change. This is not surprising as kadmind spawns a
> kdb5_util
> dump for this.
>
> Is this behaviour of krb5kdc to be expected or might we have
> something
> incorrect in our configuration?
>
> Cheers,
>
> Kenny.
>
>
>
> --
> The University of Edinburgh is a charitable body, registered
> in
> Scotland, with registration number SC005336.
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
