KDC query client performance

Simo Sorce ssorce at redhat.com
Mon Feb 14 20:20:16 EST 2011

On Mon, 14 Feb 2011 19:34:51 -0500
Sam Hartman <hartmans at mit.edu> wrote:

> >>>>> "Simo" == Simo Sorce <ssorce at redhat.com> writes:
>     Simo> On Mon, 14 Feb 2011 18:35:14 +0000
>     Simo> "Roland C. Dowdeswell" <elric at imrryr.org> wrote:
> > Also, it might be a better idea in the longer term to write a little
>     >> daemon that runs as root, listens on a UNIX domain socket and
>     >> accepts requests from the krb5 libs to have conversations with
>     >> various KDCs.  The advantage of this would be that this daemon
>     >> could keep track of which KDCs are up and perhaps even keep
>     >> track of which ones answer the quickest (and are therefore
>     >> likely the closest), etc.
>     Simo> You can do this separately by creating a locator plugin.
>     Simo> That's what we do with the SSSD project at least, so that
>     Simo> the sssd daemon does the discovery and just tells the krb5
>     Simo> libs what is the ip address to use for the KDC.
> Yes, but I think that this is important enough to Kerberos performance
> that someone should really do this separately from SSSD.  If you're
> going to use SSSD, or some full infrastructure, you'll use their KDC
> locator.  However, you really want this service.  All the time. Even
> if you just want a Kerberos client.

Then it may be best to define a socket based communication protocol so
that only one daemon at a time can do it (consistency) and others can
provide the service w/o having plugins piling up on another.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list