Maximum size of a Unix MIT Kerberos database backend
Nicolas Williams
Nicolas.Williams at sun.com
Tue Nov 10 16:34:00 EST 2009
On Tue, Nov 10, 2009 at 11:14:40AM -0600, John Washington wrote:
> Our backend was last counted at over 200,000 principals and the only noticeable
> impact (at this time) is that propagation time is around two minutes.
My previous experience was with ~100K principals, and indeed, it scales
fine. I suspect it scales just fine to much larger sizes.
Things to keep in mind:
- The MIT krb5 KDC (and so the Solaris one) is single-threaded, and
demand for KDC exchanges matters more than number of principals in
KDB, but you're likely to have multi-code/multi-thread-CPU hardware,
so you may want to create a VM/zone/jail per-core or per-hardware
thread and run the KDC in as many as you need to scale to demand.
You'll probably want to measure how many KDC exchanges you can get
per-HW thread and decide how many KDCs you need based on expected
demand. Estimating demand requires knowledge of what kerberized
services you will have.
In any case, if you will deploy incrementally, then you can add KDCs
as you deploy.
- Incremental propagation helps; I recommend it.
Nico
--
More information about the Kerberos
mailing list