Problems with kadmind

Mike Friedman mikef at ack.Berkeley.EDU
Tue Apr 19 14:23:44 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We're running a krb5-1.3.4 KDC on a Solaris 8 Ultra-10 box with 384Mb of
real memory.  Our database has about 280K principals (it's about 250Mb in
size).  Lately, we've been seeing problems with kadmin responses, in
particular timing out on long requests (e.g., listprincs *) and sometimes
even upon initial kadmin connection.

Are there any known issues with 1.3.4 kadmind and memory?  I notice that
when I have a kadmin/kadmind session in progress, kadmind will show
(according to 'top') resident memory usage at over 100M, which I guess
might put a strain on a 384Mb RAM machine.  But I also wonder if the (ever
growing) size of our database might be exacerbating this problem.

Suspecting a possible memory leak, I've restarted kadmind, but the problem
returns right away, though it is always intermittent and may be a function
of the load (authentication transactions).

Any ideas?  Would increasing real memory on the machine solve this
problem?

I should mention that for years I've been carrying a mod that increases
the RPC timeout value from 25 seconds to 180 seconds. This has always been
necessary to allow a listprincs, given the size of our db.  When I issued
a listprincs on the KDC itself (as root), using kadmin.local, I didn't get
a timeout (of course), but it took a long time (over 3 minutes,
presumably) and while it was running, the KDC logs showed an absence of
normal authentication activity, which was then taken up by the slave KDC.
So, this is not just an RPC timeout issue, but one (I think) having to do
with kadmind performance.

Since this problem appears to have started only recently, I suspect that
the size of the database is what's triggered it. But I'm also wondering if
something else is afoot.

Any ideas or suggestions appreciated.

Thanks.

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
mikef at ack.Berkeley.EDU          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQmVMt60bf1iNr4mCEQKUYQCgp+oNloqxm5lqkrxzlLQeWzOnx4AAoNZR
iP4q5YFLc9drC+YsWpD0MNne
=FgBN
-----END PGP SIGNATURE-----


More information about the Kerberos mailing list