[krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
Tsu-Phong Wu via RT
rt-comment at krbdev.mit.edu
Tue Feb 3 15:40:05 EST 2015
Hi Greg,
Sorry for taking so long to get back to you.
Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12.
There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements.
I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10.
Below is what I've gathered (with no other activity on LDAP or KDC):
* It takes around 150 seconds to retrieve 54k principals on Solaris 10
* The above 2 improvements on Solaris 10 do not make any obvious difference
* It takes 30 seconds to retrieve 22k principals on Solaris 11
Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply.
Thanks for looking into this again.
Tsu-Phong
BTW, below is the diff for Solaris 10:
------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------
Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt))
!= 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
> int mask = 0, refcount;
354a355,361
------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------
Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
:q
[tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs
------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------
Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
> int mask = 0, refcount;
354a355,361
>
> st = krb5_ldap_get_reference_count(context, policy_dn,
> "krbPwdPolicyReference", &refcount, ld);
> if (st == 0 && refcount != 0)
> st = KRB5_KDB_POLICY_REF;
> if (st != 0)
> goto cleanup;
------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h -------
Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
2c2
< * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
10c10
< #pragma ident "@(#)krb5.h 1.21 12/01/26 SMI"
---
> #pragma ident "@(#)krb5.h 1.22 14/11/26 SMI"
3038a3039
> #define KRB5_KDB_POLICY_REF (-1780008408L)
----- Original Message -----
From: rt-comment at krbdev.mit.edu
Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific
Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
The bug numbers for the two performance issues are #6799 and #7535. #6799
is the most important of the two, and should be easy to backport.
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799
https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14
8
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535
https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77
a
_______________________________________________
krb5-bugs mailing list
krb5-bugs at mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
More information about the krb5-bugs
mailing list