rough estimate of kadmin addprinc performance?
Chris Hecker
checker at d6.com
Tue Aug 14 15:58:12 EDT 2012
> The expensive part of this is probably AES string-to-key, which is
> intentionally slow (4096 iterations of SHA-1). You should be able to
> make it go about twice as fast by changing supported_enctypes (in
> the kdc.conf libdefaults section) to include only one of the two AES
> enctypes.
I already only have one enctype allowed on this KDC:
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
I just tested creation with randkey for the sake of completeness (I need
the passwords), and yeah, it looks like this:
CPU
11% slapd
4% kadmind
but, slapd is 97% DSK, so I guess it's the fsync's. It's basically the
same speed (10 ank/sec), which makes sense, since the previous test with
passwords wasn't 100% on the CPU, so it was disk bound as well on ldap.
Deletes are also 10/sec.
Chris
On 2012/08/14 09:00, Greg Hudson wrote:
> On 08/14/2012 04:53 AM, Chris Hecker wrote:
>> Does this performance sound right for this level of machine? Would it
>> be much faster using libkadm5 in c? Should I be getting hundreds of
>> anks/sec or something?
>
> The expensive part of this is probably AES string-to-key, which is
> intentionally slow (4096 iterations of SHA-1). You should be able to
> make it go about twice as fast by changing supported_enctypes (in the
> kdc.conf libdefaults section) to include only one of the two AES enctypes.
>
> You could also try to use more CPU cores by using multiple simultaneous
> kadmin.local processes, but they might trip over each other trying to
> lock the DB (because our DB2 locking isn't very good).
>
> If you aren't actually trying to set these to valid passwords, you could
> use addprinc -randkey which should be much faster (in that it does no
> string-to-key operations). But based on your code snippet, it sounds
> like you do want the principals to have valid initial passwords, in
> which case the string-to-key operations are unavoidable.
>
>
More information about the Kerberos
mailing list