[krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Oct 21 14:43:53 EDT 2014
Before we commit to changing the default or making it configurable, I would
like to know what version of Kerberos is being used on the back end. Prior
to release 1.9, the LDAP KDB module takes O(N^2) time to iterate over N
principals due to a combination of questionable design features. It is
possible that retrieving even a hundred thousand principal names could be
done in less than 120 seconds without this bug.
If we do need to make a change, I would suggest using a very long timeout
or (if possible) disable the timeout entirely. Since kadmin runs over TCP,
there isn't really a strong need to time out if kadmind takes a long time
to respond.
More information about the krb5-bugs
mailing list