[6434] in Kerberos
Re: Performance of CNS vs. AFS kaserver?
daemon@ATHENA.MIT.EDU (Randall S. Winchester)
Thu Jan 4 21:09:54 1996
Date: Thu, 4 Jan 1996 20:57:34 -0500 (EST)
From: "Randall S. Winchester" <rsw@eng.umd.edu>
To: Trey Harris <harris@email.unc.edu>
Cc: kerberos@MIT.EDU
In-Reply-To: <4cfuao$1539@bigblue.oit.unc.edu>
I really do not know why you want to go through the effort of using the
MIT/CNS Kerberos server, when the AFS Kaserver will server you well.
First as far as the password changing you refer to, the MIT Kerberos
server only does writes (changes) to the one "admin" server, While with
the AFS kaserver any of them can accept your change requests (though there
is a master to coordinate changes).
The Annex boxes (terminal servers) we use work just fine talking to the
kaserver, as it tries both string to keys.
We have a similar setup to you, where the campus annex lines (dialup service)
athenticate to Kerberos (via the kaserver) for access to the campus net.
We have over 31,000 accounts that also talk to the same kaserver and get
their mail delivered into AFS.
I have not seen a performance problem talking to the kaserver when it is
properly configured. That is not running as a fileserver with anything
but maybe a few seldom accessed volumes. It must be on a network that is
not swamped with other traffic so those on other subnets can get to it (
FDDI is a good thing to connect them to...) Also do not run much more
then named on these machines and make sure it does not have to swap.
I started with an MIT kerberos realm and later added AFS, keeping the MIT
Kerberos server initially. I have since switched that cell/REALM around to
use the kaserver instead and have had better reliability. We still use
kerberos libraries for client applications, and have modified them to also
try both string to keys. The MIT kpasswd will change the password to its'
string to key and the AFS kpasswd, to its, so if you need one or the other
you will be ok. The AFS utilities for account maintainance are alot more
mature then the MIT counterparts.
Again, I would think you would have a better go of it by just using the
kaserver that you already have.
Randall
On 4 Jan 1996, Trey Harris wrote:
> We're moving our campus email system, which currently has 27,000 users, to
> a new system for performance reasons. Since NFS was one of our biggest
> performance problems, we have decided to move to AFS for this system.
>
> We now have a rudimentary cell with three replicated database server
> machines (which run the AFS Backup, Protection, and Volume Location
> servers), two AFS fileserving machines, and fourteen AFS clients. They
> are all currently connected by FDDI. These machines are presently only
> being used for development of the new system; we have no users yet, which
> allows us to make whatever (possibly radical) changes we need before
> production time, currently scheduled for mid-February.
>
> Since getting Kerberos authentication for our terminal servers and other
> authentication needs has been on our to-do list for awhile, we've been
> investigating using CNS instead of the Transarc AFS Authentication Server
> (kaserver). Since AFS 3.3 and 3.4 include Kerberos ".krb" equivalents of
> many AFS commands (including a login.krb that will get a Kerberos ticket
> and AFS token at login time), the process looks less onerous than it
> might have been in the past.
>
> It seems that given a little effort, getting our cell to use CNS instead
> of kaserver is a very doable thing. However, since we are moving to this
> new system to improve performance, I'm vary wary about anything that may
> cause bottlenecks. An authentication bottleneck would be a very bad
> thing, since in my experience poor login and password-changing times irk
> users worse than any other response time problems.
>
> I know that the AFS kaserver has a mechanism of replication that is
> supposed to allow all the database servers in a cell to loadlevel. I
> can't say that I'm too clear on how well the quorum/election scheme used
> by the kaservers work, but I do know that Transarc says three fairly fast
> workstations with modest (48-64MB) memory and a fast network should be
> able to handle most large sites. (I realize that most large sites aren't
> as large as mine...)
>
> I read the documentation for CNS and see that you can create "slave"
> servers which maintain readonly data from the master. But from my reading
> of the documentation, these slave servers are fallbacks for failure or
> timeout rather than a mechanism for loadleveling.
>
> Is this true? If so, is my only choice to go with the AFS kaserver? I
> expect up to a thousand authentication attempts per minute at peak times.
>
> I appreciate any assistance on this. Thanks!
> --
> Trey Harris http://sunsite.unc.edu/harris/
> System Administrator, Project Isis, Office of Information Technology
> The University of North Carolina at Chapel Hill
>
