Determening the number of clients per KDC

Andrew Cobaugh andrew.cobaugh at gmail.com
Mon Apr 16 17:50:43 EDT 2018


On Mon, Apr 16, 2018 at 5:41 PM, Russ Allbery <eagle at eyrie.org> wrote:

> Sergei Gerasenko <gerases at gmail.com> writes:
>
> > Will keeping an access log slow me down much, do you know?
>
> Yes, you may want to tune syslog or whatever you're using for your KDC
> logging, although MIT is a lot better than Heimdal in that regard (Heimdal
> is very verbose).  I generally disabled sync to disk on the syslog log
> file that the KDC logging was routed to.
>

Agree with disabling sync logging to local disk. The problem I've run into
is TCP syslog where the remote system can't keep up. Ask me how I know...

Always better to write to local log file asynchronously, then have an agent
(filebeat, splunk) follow that file and forward on, as it will still be
more reliable than any flavor of remote syslog.


>
> > For that matter, is there a benchmarking tool for KDCs?
>
> Not that I'm aware of.  I usually just rolled my own by calling kinit with
> a keytab and then kvno to get service tickets.
>

I wrote this a while back to help track down a TCP syslog bottleneck, which
later turned out to be very useful for isolating other performance issues
and general capacity planning. Also currently using it to demonstrate how
much faster MIT Kerberos is compared to AD, even when not using workers (on
modern-ish CPUs, without workers enabled krb5kdc can do ~4000 rps. I can
share more details if folks are interested).

   https://github.com/acobaugh/krb5perf

It is worth noting that when load testing a single KDC, you pretty much
have to take DNS out of the equation somehow. Initially I was testing the
performance of my local unbound caching nameserver...

-- 
andy


More information about the Kerberos mailing list