rough estimate of kadmin addprinc performance?
Greg Hudson
ghudson at MIT.EDU
Tue Aug 14 12:00:35 EDT 2012
On 08/14/2012 04:53 AM, Chris Hecker wrote:
> Does this performance sound right for this level of machine? Would it
> be much faster using libkadm5 in c? Should I be getting hundreds of
> anks/sec or something?
The expensive part of this is probably AES string-to-key, which is
intentionally slow (4096 iterations of SHA-1). You should be able to
make it go about twice as fast by changing supported_enctypes (in the
kdc.conf libdefaults section) to include only one of the two AES enctypes.
You could also try to use more CPU cores by using multiple simultaneous
kadmin.local processes, but they might trip over each other trying to
lock the DB (because our DB2 locking isn't very good).
If you aren't actually trying to set these to valid passwords, you could
use addprinc -randkey which should be much faster (in that it does no
string-to-key operations). But based on your code snippet, it sounds
like you do want the principals to have valid initial passwords, in
which case the string-to-key operations are unavoidable.
More information about the Kerberos
mailing list