kadmin incremental propagation full resync multiple processes spawned
Paul B. Henson
henson at acm.org
Fri Nov 4 15:42:23 EDT 2011
On 11/3/2011 8:26 PM, Greg Hudson wrote:
> Producing a good log message will take a bit of actual work, but fixing
> the error handling is a trivial patch, which I've attached (not tested,
> but it's very simple).
Cool, thanks, I'll recompile with this change. After some thought, I'm
pretty confident that the underlying failure is due to locking
contention, so a good log message would most likely only confirm that,
and given there is no resolution for that yet, not be of much use. But
this fix should keep multiple kadmin processes from contending against
each other, and eventually the dump should succeed, which will fix my
main problem. Looks like my bug report did go through, it was assigned
#6998; if this will be the official fix for the problem, if you'd be so
kind as to attach it to that bug report I could probably get my
distribution to include the patch in their release version pending
inclusion in an upstream release.
> That's a good theory. I don't know if you've been involved in previous
> discussions about our DB2 locking, but since POSIX doesn't provide a way
> to acquire a file lock with a timeout, we just try once a second for
> five seconds, which doesn't provide any kind of fairness guarantee,
> unfortunately.
I don't think I've ever discussed locking in the context of Kerberos,
but having implemented similar mechanisms in other projects in the past
I know exactly what you're talking about <sigh>. When I get time, I was
going to look at the LDAP backend. kadmind is about the last single
point of failure in our identity management infrastructure (we currently
have a single openldap master, but should be converted to mirror mode
multimaster by the end of the year). Is it possible with the LDAP
backend to have multiple active kadmin servers for fault tolerance? If
the client doesn't know how to try and talk to multiple ones in case of
failure, would it work to have multiple kadmin servers behind a hardware
load balancer?
Thanks much...
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the Kerberos
mailing list