[krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

Mon Feb 23 16:01:35 EST 2015

Hi Greg,

Have you got chance to look into further this RPC timeout issue for kadmin to retrieve lots of principals from LDAP backend?

Thanks.
Tsu-Phong

----- Original Message -----
From: rt-comment at krbdev.mit.edu
Sent: Tuesday, February 3, 2015 12:40:45 PM GMT -08:00 US/Canada Pacific
Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

Hi Greg,

Sorry for taking so long to get back to you.

Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12.
There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements.

I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10.

Below is what I've gathered (with no other activity on LDAP or KDC):

  * It takes around 150 seconds to retrieve 54k principals on Solaris 10
  * The above 2 improvements on Solaris 10 do not make any obvious difference
  * It takes 30 seconds to retrieve 22k principals on Solaris 11

Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply.

Thanks for looking into this again.

Tsu-Phong

BTW, below is the diff for Solaris 10:

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c       1.2     07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c       1.3     14/11/26 SMI"
25a26,28
> /*
>  * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
>  */
195,198c198,201
<     if ((ret = krb5_db_delete_policy(handle->context, name)))
<       return ret;
<     else
<       return KADM5_OK;
---
>     ret = krb5_db_delete_policy(handle->context, name);
>     if (ret == KRB5_KDB_POLICY_REF)
>       ret = KADM5_POLICY_REF;
>     return (ret == 0) ? KADM5_OK : ret;

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c        1.4     11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c        1.5     14/11/26 SMI"
32c32
<  * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
>  * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
<     /* We already know that the policy is inside the realm container. */
<     if (polname) {
<       osa_policy_ent_t   pwdpol;
<       int                cnt=0;
<       krb5_timestamp     last_pw_changed;
<       krb5_ui_4          pw_max_life;
<
<       memset(&pwdpol, 0, sizeof(pwdpol));
<
<       if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt))
!= 0)
<           goto cleanup;
<       pw_max_life = pwdpol->pw_max_life;
<       /* Solaris Kerberos: fix memory leak */
<       krb5_ldap_free_password_policy(context, pwdpol);
<
<       if (pw_max_life > 0) {
<           if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
<               goto cleanup;
<
<           if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
<               if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
<                   entry->pw_expiration = last_pw_changed + pw_max_life;
<           } else
<               entry->pw_expiration = last_pw_changed + pw_max_life;
<       }
<     }

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c  1.1     07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c  1.2     14/11/26 SMI"
33,34c33
<  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
<  * Use is subject to license terms.
---
>  * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
<     /* Get the reference count */
<     pol_dn = ldap_get_dn(ld, ent);
<     st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
<           (int *)&(pol_entry->policy_refcnt), ld);
<     ldap_memfree(pol_dn);
---
>     /*
>      * We don't store the policy refcnt, because principals might be maintained
>      * outside of kadmin. Instead, we will check for principal references when>      * policies are deleted.
>      */
>     pol_entry->policy_refcnt = 0;
334c334
<     int                         mask = 0;
---
>     int                         mask = 0, refcount;
354a355,361

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c       1.2     07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c       1.3     14/11/26 SMI"
25a26,28
> /*
>  * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
>  */
195,198c198,201
<     if ((ret = krb5_db_delete_policy(handle->context, name)))
<       return ret;
<     else
<       return KADM5_OK;
---
>     ret = krb5_db_delete_policy(handle->context, name);
>     if (ret == KRB5_KDB_POLICY_REF)
>       ret = KADM5_POLICY_REF;
>     return (ret == 0) ? KADM5_OK : ret;
:q
[tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c       1.2     07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c       1.3     14/11/26 SMI"
25a26,28
> /*
>  * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
>  */
195,198c198,201
<     if ((ret = krb5_db_delete_policy(handle->context, name)))
<       return ret;
<     else
<       return KADM5_OK;
---
>     ret = krb5_db_delete_policy(handle->context, name);
>     if (ret == KRB5_KDB_POLICY_REF)
>       ret = KADM5_POLICY_REF;
>     return (ret == 0) ? KADM5_OK : ret;

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c        1.4     11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c        1.5     14/11/26 SMI"
32c32
<  * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
>  * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
<     /* We already know that the policy is inside the realm container. */
<     if (polname) {
<       osa_policy_ent_t   pwdpol;
<       int                cnt=0;
<       krb5_timestamp     last_pw_changed;
<       krb5_ui_4          pw_max_life;
<
<       memset(&pwdpol, 0, sizeof(pwdpol));
<
<       if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
<           goto cleanup;
<       pw_max_life = pwdpol->pw_max_life;
<       /* Solaris Kerberos: fix memory leak */
<       krb5_ldap_free_password_policy(context, pwdpol);
<
<       if (pw_max_life > 0) {
<           if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
<               goto cleanup;
<
<           if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
<               if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
<                   entry->pw_expiration = last_pw_changed + pw_max_life;
<           } else
<               entry->pw_expiration = last_pw_changed + pw_max_life;
<       }
<     }

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c  1.1     07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c  1.2     14/11/26 SMI"
33,34c33
<  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
<  * Use is subject to license terms.
---
>  * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
<     /* Get the reference count */
<     pol_dn = ldap_get_dn(ld, ent);
<     st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
<           (int *)&(pol_entry->policy_refcnt), ld);
<     ldap_memfree(pol_dn);
---
>     /*
>      * We don't store the policy refcnt, because principals might be maintained
>      * outside of kadmin. Instead, we will check for principal references when>      * policies are deleted.
>      */
>     pol_entry->policy_refcnt = 0;
334c334
<     int                         mask = 0;
---
>     int                         mask = 0, refcount;
354a355,361
>
>     st = krb5_ldap_get_reference_count(context, policy_dn,
>                                      "krbPwdPolicyReference", &refcount, ld);
>     if (st == 0 && refcount != 0)
>       st = KRB5_KDB_POLICY_REF;
>     if (st != 0)
>       goto cleanup;

------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h -------

Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
2c2
<  * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
---
>  * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
10c10
< #pragma ident "@(#)krb5.h     1.21    12/01/26 SMI"
---
> #pragma ident "@(#)krb5.h     1.22    14/11/26 SMI"
3038a3039
> #define KRB5_KDB_POLICY_REF                   (-1780008408L)

----- Original Message -----
From: rt-comment at krbdev.mit.edu
Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific
Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

The bug numbers for the two performance issues are #6799 and #7535.  #6799 
is the most important of the two, and should be easy to backport.

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799
https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14
8

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535
https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77
a
_______________________________________________
krb5-bugs mailing list
krb5-bugs at mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

_______________________________________________
krb5-bugs mailing list
krb5-bugs at mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs