Kerberos 1.9.1 locking issues
Greg Hudson
ghudson at MIT.EDU
Thu Jun 23 00:22:31 EDT 2011
On Wed, 2011-06-22 at 15:09 -0400, Dave Steiner wrote:
> Is anyone else seeing these kinds of issues? Are there any
> recommended ways to fix or help with this?
The database locking discipline is hardcoded and not configurable, but
if you're able to recompile the code, simply bumping MAX_LOCK_TRIES in
plugins/kdb/db2/kdb_db2.c to a larger value (from 5 to 15, say) might
help.
Without further analysis, I'm not sure whether your problem owes to
changes in 1.9.1 and how much it's just due to increasing load. Changes
to principals by kadmind requires an exclusive lock on the database, and
trying five times at 1-second intervals could certainly fail if the KDC
happened to have the database open for reading at five particular times.
(It would be much more robust if we could get a blocking lock with a
timeout. Unfortunately, I'm not aware of any good way to do that
without using alarm signals, which isn't especially nice to do inside a
library.)
More information about the Kerberos
mailing list