Rate limiting Kerberos Requests
Nico Williams
nico at cryptonector.com
Thu Sep 27 11:38:11 EDT 2012
On Thu, Sep 27, 2012 at 10:17 AM, Jack Neely <jjneely at ncsu.edu> wrote:
> This definitely seems to explain the lag in responses I've noticed
> during a kprop operation. Usually I get a response in under a second,
> but if I hit my KDC during when its receiving a kprop it can be 4 or 5
> seconds.
Perfect. It's very likely this then.
BTW, you can look in your logs for a message from krb5kdc that says
"Database is locked or in use--try again later".
> The above incident is a single misbehaving client suddenly doing about
> 600 requests / minute for around 30 minutes. During this window no one
> else could get a KDC response before the client timed out.
The client is not misbehaving. The KDC is. The problem is on the KDC side.
Nico
--
More information about the Kerberos
mailing list