Fwd: [Bug 1179820] New: Kerberos KDC connection limit too low

Greg Hudson ghudson at mit.edu
Sun Jan 18 12:39:15 EST 2015

On 01/16/2015 04:57 PM, Roland Mainz wrote:
> Does anyone know which limit the reporter in the bug report below may be referring to ?

Most likely the 45-connection limit in net-server.c.

> If the "45 connections limit" is the issue... would a patch be acceptable which adds code to query the resource limit for file descriptors ($ ulimit -n #) and then do a |max_tcp_or_rpc_data_connections=MAX(result/2, 45)| ?

I don't think the limit is there primarily to prevent fd exhaustion; it
also serves to limit user-space and kernel memory usage.  A limit of 45
seems pretty low for any modern host, though.

I believe we would take a patch to make the limit configurable, and to
make the default somewhat higher than it is today.  Configurable tuning
parameters aren't great, but I don't see any way to automatically choose
a limit in a way which approximates the highest load capacity while
preventing DOS attacks which disable the KDC through memory exhaustion.

More information about the krbdev mailing list