krb5/ldap troubles

Berthold Cogel cogel at uni-koeln.de
Thu Jun 13 09:28:04 EDT 2013 

Hello!

I've some problems with a krb5/ldap setup and I'm still trying to
understand what I'm dealing with..

System: RHEL5
Kerberos: 1.6.1-70.el5 (MIT/RHEL)
LDAP: openldap-ltb-2.4.28-1.el5

Kerberos is talking to the local LDAP via LDAPI.


Now we've migrated our users from our old identity management
system to a new system and pushed the accounts into the
kerberos (kadmin is called remote from the IDM). Now I've run into some
problems:

- kadmind slowed down during the process. Starting with an almost empty
database I was able to do about 3 'addprinc' jobs per second. And I
ended up with about 8 seconds per principal after about 68000 users.

- The host is a virtual host. I started with 2 cores and upgraded the
system to 4 cores during the process with almost no effect. Load is not
very high but about 50% system...

These problems do hit me only during the initial setup, but...

- When kadmind is being called, we see about 80000 to 100000 context
switches (cs, vmstat 1 ) per second (no kadmin action: about 100 - 1000 cs).

- Password changes are slow too (8 seconds).

- Simple kinit causes a 140000 cs spike for password prompt and another
130000 cs spike for authentication. This is a lot...

- ldapsearch for the complete tree takes about 15 seconds (about 250000
cs for the request)

- ldapsearch for one principal ... almost no impact

This doesn't look like an LDAP problem to me. But there is an old system
(VM, 2 cores, RHEL3, MIT-Krb 1.4.3, no LDAP-Backend) that doesn't show
these effects.

This is what I have in the kdc.conf:

[kdcdefaults]
 kdc_ports = 750,88
 kdc_tcp_ports = 88
 v4_mode = nopreauth

[realms]
  RRZ.UNI-KOELN.DE = {
    database_name = /var/kerberos/krb5kdc/principal
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    key_stash_file = /var/security/kerberos/.k5.RRZ.UNI-KOELN.DE
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    master_key_type = aes256-cts
    supported_enctypes = aes256-cts-hmac-sha1-96:normal
des-cbc-crc:normal des:afs3
    supported_keytypes = aes256-cts-hmac-sha1-96:normal
des-cbc-crc:normal des:afs3
    default_principal_flags = +preauth
    database_module = openldap_ldapconf
  }


[logging]
	admin_server = SYSLOG:INFO:LOCAL0
	kdc = SYSLOG:INFO:LOCAL0

[dbdefaults]
    ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"

[dbmodules]
  openldap_ldapconf = {
    db_library = kldap
    ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
    ldap_kdc_dn = "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de"
    ldap_kadmind_dn = "cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de"
    ldap_service_password_file = "/var/kerberos/krb5kdc/service.keyfile"
    ldap_servers = "ldapi://%2Fvar%2Frun%2Fldapi"
    ldap_cons_per_server = 10
  }


krb5.conf...

[libdefaults]
  default_realm = RRZ.UNI-KOELN.DE

  # these numbers are in seconds:
  # 2592000 is 30 days (the maximum AFS token lifetime)
  #
  ticket_lifetime = 2592000
  default_lifetime = 2592000
  renew_lifetime = 2592000

  kdc_timesync = 0

  forwardable = true
  renewable = true
  allow_weak_crypto=true


[realms]
  RRZ.UNI-KOELN.DE = {
    kdc = <a>.rrz.uni-koeln.de:88
    kdc = <b>.rrz.uni-koeln.de:88
    kdc = <c>.rrz.uni-koeln.de:88
    admin_server = <a>.rrz.uni-koeln.de:749
    default_domain = rrz.uni-koeln.de
  }

[domain_realm]
  .rrz.uni-koeln.de = RRZ.UNI-KOELN.DE
  .uni-koeln.de = RRZ.UNI-KOELN.DE

[logging]
  admin_server = SYSLOG:INFO:LOCAL0
  kdc = SYSLOG:INFO:LOCAL0



slapd.conf...

include		/etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/eduperson.schema
include         /etc/openldap/schema/dfneduperson.schema
include         /etc/openldap/schema/schac.schema
include         /etc/openldap/schema/edumember.schema
include         /etc/openldap/schema/UniColognePerson.schema
include         /etc/openldap/schema/kerberos.schema

pidfile		/usr/local/openldap/var/run/slapd.pid
argsfile	/usr/local/openldap/var/run/slapd.args

modulepath	/usr/local/openldap/libexec/openldap

# TLS definitions
TLSCertificateFile xxxxxx
TLSCertificateKeyFile xxxxxx
TLSCACertificatePath /etc/pki/tls/certs

security ssf=64 update_ssf=112 simple_bind=64

localSSF 256

include         /etc/openldap/acl.inc

sizelimit unlimited

idletimeout 20

loglevel none

database	hdb
suffix		"dc=uni-koeln,dc=de"
rootdn		"cn=xxxxx

rootpw         xxxxxx

cachesize 100000

idlcachesize 300000

checkpoint 4096 10

directory	/var/lib/ldap

index mail eq
index cn eq,sub
index sn eq,sub
index givenname eq,sub
index uid eq
index objectclass eq
index entryCSN eq
index entryUUID eq
index UniCologneMailPolicy eq
index description sub
index krbPrincipalName eq,pres,sub
index krbPwdPolicyReference eq

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

overlay auditlog
auditlog /tmp/openldapaudit.log

database monitor


What causes these huge amounts of context switches and how can I reduce
them. Help would be appreciated.


Berthold Cogel

More information about the Kerberos mailing list