[6428] in Kerberos
Re: Performance of CNS vs. AFS kaserver?
daemon@ATHENA.MIT.EDU (John Hascall)
Thu Jan 4 09:53:23 1996
To: kerberos@MIT.EDU
Date: 4 Jan 1996 14:34:00 GMT
From: john@iastate.edu (John Hascall)
Trey Harris <harris@email.unc.edu> wrote:
}We're moving our campus email system, which currently has 27,000 users,...
}Since getting Kerberos authentication for our terminal servers and other
}authentication needs has been on our to-do list for awhile, we've been
}investigating using CNS instead of the Transarc AFS Authentication Server
}(kaserver). ...
}It seems that given a little effort, getting our cell to use CNS instead
}of kaserver is a very doable thing. However, since we are moving to this
}new system to improve performance, I'm vary wary about anything that may
}cause bottlenecks. An authentication bottleneck would be a very bad
}thing, since in my experience poor login and password-changing times irk
}users worse than any other response time problems.
I can agree with this assesement -- odd, isn't it?
}I know that the AFS kaserver has a mechanism of replication that is
}supposed to allow all the database servers in a cell to loadlevel. I
}can't say that I'm too clear on how well the quorum/election scheme used
}by the kaservers work, but I do know that Transarc says three fairly fast
}workstations with modest (48-64MB) memory and a fast network should be
}able to handle most large sites. (I realize that most large sites aren't
}as large as mine...)
We are, and then some...
}I read the documentation for CNS and see that you can create "slave"
}servers which maintain readonly data from the master. But from my reading
}of the documentation, these slave servers are fallbacks for failure or
}timeout rather than a mechanism for loadleveling.
If CNS is basically a repackaged MIT Kerberos 4 this is true.
}Is this true? If so, is my only choice to go with the AFS kaserver? I
}expect up to a thousand authentication attempts per minute at peak times.
We have a pair of lowly DECstation 2100s with crummy slow RZ55s
as our Kerberos master and slave running (MIT Kerb V4 pl10).
I have tested them and they can deliver upto 40 requests/second.
We rarely see 4 req/sec.
If you're not familiar with a 2100 it's about 8 MIPS and an RZ55
is, what, 7-yr-old disk technology.
John
--
John Hascall ``An ill-chosen word is the fool's messenger.''
Moderator, comp.unix.wizards
Systems Software Engineer, ISU Comp Center + Ames, IA 50011 + 515/294-9551
<a href="http://www.cc.iastate.edu/staff/systems/john/">My Homepage</a>
