Fwd: [Bug 1179820] New: Kerberos KDC connection limit too low

Roland Mainz rmainz at redhat.com
Fri Jan 16 16:57:41 EST 2015 

Hi!

----

Does anyone know which limit the reporter in the bug report below may be referring to ?

AFAIK we have the following default limits in krb5kdc when running on Linux:
- 1 process (by default)
- max. 45 connections ([1]) as defined via |max_tcp_or_rpc_data_connections| in ./krb5/src/lib/apputils/net-server.c (per process, right ?)
- 1024 sockets/files max. as defined via Linux default resource limit for file descriptors (see $ ulimit -n #)
- [optionally] a fd limit imposed when |select()| is used, see |FD_SETSIZE|. Other event processing methods may have other limits
- <... did I miss any limits ? ...>

[1]=The 45 connection limits defined per |max_tcp_or_rpc_data_connections| in ./krb5/src/lib/apputils/net-server.c may be (theory!) a result of the old 64 fd resource limit for user processes in UNIX SystemV+BSD4.3 (which still exists in modern Solaris/Illumos and maybe *BSD, too) ... guessing... maybe 45 was picked so there are at least 19 fds available for other purposes like config files and plugins.

If the "45 connections limit" is the issue... would a patch be acceptable which adds code to query the resource limit for file descriptors ($ ulimit -n #) and then do a |max_tcp_or_rpc_data_connections=MAX(result/2, 45)| ?

----

Bye,
Roland

----- Forwarded Message -----
> From: bugzilla at redhat.com
> To: kerberos-dev-list at redhat.com
> Sent: Wednesday, January 7, 2015 4:39:27 PM
> Subject: [Bug 1179820] New: Kerberos KDC connection limit too low
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1179820
> 
>             Bug ID: 1179820
>            Summary: Kerberos KDC connection limit too low
[snip]
>          Component: krb5
[snip]
> 
> Description of problem:
> 
> The Kerberos KDC has a low, hard-coded limit on concurrent tcp connections.
> This results in large numbers of INFO level log entries about dropped
> connections when many clients are trying to contact the KDC. It could lead to
> additional problems with more clients.
> 
> My current scenario is not one that should be followed in real life, but
> similar situations could occur with larger numbers of clients that are not
> misconfigured. I anticipate regularly having many hundreds, potentially
> thousands, of connected clients booting nearly simultaneously within the
> year.
> 
[snip]
> 
> How reproducible:
> Always
> 
> Steps to Reproduce:
> 1. Configure 62 clients to use a KDC
> 2. Prevent replies from the KDC from reaching the clients
> 3. observe KDC logs as clients attempt to contact KDC
> 
> Actual results:
> 
> Logs fill up with dropped connection messages.
> 
> Expected results:
> 
> affected clients fail to authenticate, but do not exhaust all available open
> connections before they time out.
> 
[snip]

-- 
  __ .  . __
 (o.\ \/ /.o) rmainz at redhat.com
  \__\/\/__/  IPA/Kerberos5 team
  /O /==\ O\  
 (;O/ \/ \O;)

More information about the krbdev mailing list