Hi Greg, Sorry for taking so long to get back to you. Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12. There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements. I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10. Below is what I've gathered (with no other activity on LDAP or KDC): * It takes around 150 seconds to retrieve 54k principals on Solaris 10 * The above 2 improvements on Solaris 10 do not make any obvious difference * It takes 30 seconds to retrieve 22k principals on Solaris 11 Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply. Thanks for looking into this again. Tsu-Phong BTW, below is the diff for Solaris 10: ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 1c1 < #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI" --- > #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI" 32c32 < * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 2216,2241d2215 < /* We already know that the policy is inside the realm container. */ < if (polname) { < osa_policy_ent_t pwdpol; < int cnt=0; < krb5_timestamp last_pw_changed; < krb5_ui_4 pw_max_life; < < memset(&pwdpol, 0, sizeof(pwdpol)); < < if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) < goto cleanup; < pw_max_life = pwdpol->pw_max_life; < /* Solaris Kerberos: fix memory leak */ < krb5_ldap_free_password_policy(context, pwdpol); < < if (pw_max_life > 0) { < if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) < goto cleanup; < < if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { < if ((last_pw_changed + pw_max_life) < entry->pw_expiration) < entry->pw_expiration = last_pw_changed + pw_max_life; < } else < entry->pw_expiration = last_pw_changed + pw_max_life; < } < } ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 1c1 < #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI" --- > #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI" 33,34c33 < * Copyright 2007 Sun Microsystems, Inc. All rights reserved. < * Use is subject to license terms. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 205,209c204,209 < /* Get the reference count */ < pol_dn = ldap_get_dn(ld, ent); < st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", < (int *)&(pol_entry->policy_refcnt), ld); < ldap_memfree(pol_dn); --- > /* > * We don't store the policy refcnt, because principals might be maintained > * outside of kadmin. Instead, we will check for principal references when> * policies are deleted. > */ > pol_entry->policy_refcnt = 0; 334c334 < int mask = 0; --- > int mask = 0, refcount; 354a355,361 ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; :q [tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 1c1 < #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI" --- > #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI" 32c32 < * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 2216,2241d2215 < /* We already know that the policy is inside the realm container. */ < if (polname) { < osa_policy_ent_t pwdpol; < int cnt=0; < krb5_timestamp last_pw_changed; < krb5_ui_4 pw_max_life; < < memset(&pwdpol, 0, sizeof(pwdpol)); < < if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) < goto cleanup; < pw_max_life = pwdpol->pw_max_life; < /* Solaris Kerberos: fix memory leak */ < krb5_ldap_free_password_policy(context, pwdpol); < < if (pw_max_life > 0) { < if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) < goto cleanup; < < if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { < if ((last_pw_changed + pw_max_life) < entry->pw_expiration) < entry->pw_expiration = last_pw_changed + pw_max_life; < } else < entry->pw_expiration = last_pw_changed + pw_max_life; < } < } ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 1c1 < #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI" --- > #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI" 33,34c33 < * Copyright 2007 Sun Microsystems, Inc. All rights reserved. < * Use is subject to license terms. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 205,209c204,209 < /* Get the reference count */ < pol_dn = ldap_get_dn(ld, ent); < st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", < (int *)&(pol_entry->policy_refcnt), ld); < ldap_memfree(pol_dn); --- > /* > * We don't store the policy refcnt, because principals might be maintained > * outside of kadmin. Instead, we will check for principal references when> * policies are deleted. > */ > pol_entry->policy_refcnt = 0; 334c334 < int mask = 0; --- > int mask = 0, refcount; 354a355,361 > > st = krb5_ldap_get_reference_count(context, policy_dn, > "krbPwdPolicyReference", &refcount, ld); > if (st == 0 && refcount != 0) > st = KRB5_KDB_POLICY_REF; > if (st != 0) > goto cleanup; ------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h ------- Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h 2c2 < * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved. 10c10 < #pragma ident "@(#)krb5.h 1.21 12/01/26 SMI" --- > #pragma ident "@(#)krb5.h 1.22 14/11/26 SMI" 3038a3039 > #define KRB5_KDB_POLICY_REF (-1780008408L) ----- Original Message ----- From: rt-comment@krbdev.mit.edu Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command The bug numbers for the two performance issues are #6799 and #7535. #6799 is the most important of the two, and should be easy to backport. http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799 https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14 8 http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535 https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77 a _______________________________________________ krb5-bugs mailing list krb5-bugs@mit.edu https://mailman.mit.edu/mailman/listinfo/krb5-bugs