kadmin incremental propagation full resync multiple processes spawned

Paul B. Henson henson at acm.org
Fri Nov 4 15:42:23 EDT 2011


On 11/3/2011 8:26 PM, Greg Hudson wrote:

> Producing a good log message will take a bit of actual work, but fixing
> the error handling is a trivial patch, which I've attached (not tested,
> but it's very simple).

Cool, thanks, I'll recompile with this change. After some thought, I'm 
pretty confident that the underlying failure is due to locking 
contention, so a good log message would most likely only confirm that, 
and given there is no resolution for that yet, not be of much use. But 
this fix should keep multiple kadmin processes from contending against 
each other, and eventually the dump should succeed, which will fix my 
main problem. Looks like my bug report did go through, it was assigned 
#6998; if this will be the official fix for the problem, if you'd be so 
kind as to attach it to that bug report I could probably get my 
distribution to include the patch in their release version pending 
inclusion in an upstream release.

> That's a good theory.  I don't know if you've been involved in previous
> discussions about our DB2 locking, but since POSIX doesn't provide a way
> to acquire a file lock with a timeout, we just try once a second for
> five seconds, which doesn't provide any kind of fairness guarantee,
> unfortunately.

I don't think I've ever discussed locking in the context of Kerberos, 
but having implemented similar mechanisms in other projects in the past 
I know exactly what you're talking about <sigh>. When I get time, I was 
going to look at the LDAP backend. kadmind is about the last single 
point of failure in our identity management infrastructure (we currently 
have a single openldap master, but should be converted to mirror mode 
multimaster by the end of the year). Is it possible with the LDAP 
backend to have multiple active kadmin servers for fault tolerance? If 
the client doesn't know how to try and talk to multiple ones in case of 
failure, would it work to have multiple kadmin servers behind a hardware 
load balancer?

Thanks much...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768



More information about the Kerberos mailing list