[6427] in Kerberos
Performance of CNS vs. AFS kaserver?
daemon@ATHENA.MIT.EDU (Trey Harris)
Thu Jan 4 05:50:20 1996
To: kerberos@MIT.EDU
Date: 4 Jan 1996 07:07:04 GMT
From: harris@email.unc.edu (Trey Harris)
We're moving our campus email system, which currently has 27,000 users, to
a new system for performance reasons. Since NFS was one of our biggest
performance problems, we have decided to move to AFS for this system.
We now have a rudimentary cell with three replicated database server
machines (which run the AFS Backup, Protection, and Volume Location
servers), two AFS fileserving machines, and fourteen AFS clients. They
are all currently connected by FDDI. These machines are presently only
being used for development of the new system; we have no users yet, which
allows us to make whatever (possibly radical) changes we need before
production time, currently scheduled for mid-February.
Since getting Kerberos authentication for our terminal servers and other
authentication needs has been on our to-do list for awhile, we've been
investigating using CNS instead of the Transarc AFS Authentication Server
(kaserver). Since AFS 3.3 and 3.4 include Kerberos ".krb" equivalents of
many AFS commands (including a login.krb that will get a Kerberos ticket
and AFS token at login time), the process looks less onerous than it
might have been in the past.
It seems that given a little effort, getting our cell to use CNS instead
of kaserver is a very doable thing. However, since we are moving to this
new system to improve performance, I'm vary wary about anything that may
cause bottlenecks. An authentication bottleneck would be a very bad
thing, since in my experience poor login and password-changing times irk
users worse than any other response time problems.
I know that the AFS kaserver has a mechanism of replication that is
supposed to allow all the database servers in a cell to loadlevel. I
can't say that I'm too clear on how well the quorum/election scheme used
by the kaservers work, but I do know that Transarc says three fairly fast
workstations with modest (48-64MB) memory and a fast network should be
able to handle most large sites. (I realize that most large sites aren't
as large as mine...)
I read the documentation for CNS and see that you can create "slave"
servers which maintain readonly data from the master. But from my reading
of the documentation, these slave servers are fallbacks for failure or
timeout rather than a mechanism for loadleveling.
Is this true? If so, is my only choice to go with the AFS kaserver? I
expect up to a thousand authentication attempts per minute at peak times.
I appreciate any assistance on this. Thanks!
--
Trey Harris http://sunsite.unc.edu/harris/
System Administrator, Project Isis, Office of Information Technology
The University of North Carolina at Chapel Hill
