Database locking during kprops, MIT 1.8
Dominic Hargreaves
dominic.hargreaves at oucs.ox.ac.uk
Thu Oct 7 12:01:26 EDT 2010
On Thu, Oct 07, 2010 at 11:39:40AM -0400, Greg Hudson wrote:
> On Thu, 2010-10-07 at 07:54 -0400, Dominic Hargreaves wrote:
> > With 1.8, it looks like (some?) getprinc requests also end up modifying
> > the principal database mtime (log correlation suggests that not all
> > getprincs have this effect, and there is a lag of several seconds; but
> > that's the best idea I've got). I can't spot immediately what in the
> > code is doing this; any ideas?
>
> I'm not sure about getprinc requests through kadmin, but we did add
> account lockout support in 1.8. A consequence is that initial
> authentication requests to preauth-required principals will update the
> "last successful authentication", "last failed authentication", and
> "failed password attempts" fields of principals.
Aha! That sounds quite likely -- I'd started from the false assumption
that only kadmind modified the database, which explains why my log
correlation didn't really tally.
> In 1.9 we're adding dbmodules variables names disable_last_success and
> disable_lockout to suppress those database updates, but that doesn't
> help you immediately.
*nod*
> As for your larger problem, I don't have any bright ideas besides
> increasing the retry time on database locks.
I think this will be a workable solution for us in the short term,
and you haven't screamed that I shouldn't do that, so thanks :)
> iprop is designed to allow
> fast propagation without the kind of disruption you're seeing, but that
> doesn't sound like it's an option for you right now.
Well, it's possible, but since we've just this week stablised on our
current platforms it would be nice not to have to start again :) I
suspect what we'll do is make upgrading our slaves a priority once
the next release of Debian, which includes 1.8 by default, is available.
Thanks for your response.
Dominic.
--
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101007/ba0303ca/attachment.bin
More information about the Kerberos
mailing list