Return-Path: Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by krbdev.mit.edu (Postfix) with ESMTPS id D01783F848 for ; Tue, 3 Feb 2015 15:40:04 -0500 (EST) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t13Ke3xx022934 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 3 Feb 2015 20:40:04 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id t13Ke2d3000264 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 3 Feb 2015 20:40:03 GMT Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id t13Ke2xg015633 for ; Tue, 3 Feb 2015 20:40:02 GMT MIME-Version: 1.0 Message-ID: <29847ce5-98f2-401c-94fc-16c806f5ab06@default> Date: Tue, 3 Feb 2015 12:40:02 -0800 (PST) From: Tsu-Phong Wu To: CC: Tsu-phong Wu Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command X-Mailer: Zimbra on Oracle Beehive Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Source-Ip: ucsinet22.oracle.com [156.151.31.94] RT-Send-Cc: Content-Length: 9538 Hi Greg, Sorry for taking so long to get back to you. Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12. There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements. I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10. Below is what I've gathered (with no other activity on LDAP or KDC): * It takes around 150 seconds to retrieve 54k principals on Solaris 10 * The above 2 improvements on Solaris 10 do not make any obvious difference * It takes 30 seconds to retrieve 22k principals on Solaris 11 Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply. Thanks for looking into this again. Tsu-Phong BTW, below is the diff for Solaris 10: ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 1c1 < #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI" --- > #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI" 32c32 < * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 2216,2241d2215 < /* We already know that the policy is inside the realm container. */ < if (polname) { < osa_policy_ent_t pwdpol; < int cnt=0; < krb5_timestamp last_pw_changed; < krb5_ui_4 pw_max_life; < < memset(&pwdpol, 0, sizeof(pwdpol)); < < if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) < goto cleanup; < pw_max_life = pwdpol->pw_max_life; < /* Solaris Kerberos: fix memory leak */ < krb5_ldap_free_password_policy(context, pwdpol); < < if (pw_max_life > 0) { < if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) < goto cleanup; < < if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { < if ((last_pw_changed + pw_max_life) < entry->pw_expiration) < entry->pw_expiration = last_pw_changed + pw_max_life; < } else < entry->pw_expiration = last_pw_changed + pw_max_life; < } < } ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 1c1 < #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI" --- > #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI" 33,34c33 < * Copyright 2007 Sun Microsystems, Inc. All rights reserved. < * Use is subject to license terms. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 205,209c204,209 < /* Get the reference count */ < pol_dn = ldap_get_dn(ld, ent); < st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", < (int *)&(pol_entry->policy_refcnt), ld); < ldap_memfree(pol_dn); --- > /* > * We don't store the policy refcnt, because principals might be maintained > * outside of kadmin. Instead, we will check for principal references when> * policies are deleted. > */ > pol_entry->policy_refcnt = 0; 334c334 < int mask = 0; --- > int mask = 0, refcount; 354a355,361 ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; :q [tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 1c1 < #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI" --- > #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI" 32c32 < * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 2216,2241d2215 < /* We already know that the policy is inside the realm container. */ < if (polname) { < osa_policy_ent_t pwdpol; < int cnt=0; < krb5_timestamp last_pw_changed; < krb5_ui_4 pw_max_life; < < memset(&pwdpol, 0, sizeof(pwdpol)); < < if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) < goto cleanup; < pw_max_life = pwdpol->pw_max_life; < /* Solaris Kerberos: fix memory leak */ < krb5_ldap_free_password_policy(context, pwdpol); < < if (pw_max_life > 0) { < if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) < goto cleanup; < < if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { < if ((last_pw_changed + pw_max_life) < entry->pw_expiration) < entry->pw_expiration = last_pw_changed + pw_max_life; < } else < entry->pw_expiration = last_pw_changed + pw_max_life; < } < } ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 1c1 < #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI" --- > #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI" 33,34c33 < * Copyright 2007 Sun Microsystems, Inc. All rights reserved. < * Use is subject to license terms. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 205,209c204,209 < /* Get the reference count */ < pol_dn = ldap_get_dn(ld, ent); < st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", < (int *)&(pol_entry->policy_refcnt), ld); < ldap_memfree(pol_dn); --- > /* > * We don't store the policy refcnt, because principals might be maintained > * outside of kadmin. Instead, we will check for principal references when> * policies are deleted. > */ > pol_entry->policy_refcnt = 0; 334c334 < int mask = 0; --- > int mask = 0, refcount; 354a355,361 > > st = krb5_ldap_get_reference_count(context, policy_dn, > "krbPwdPolicyReference", &refcount, ld); > if (st == 0 && refcount != 0) > st = KRB5_KDB_POLICY_REF; > if (st != 0) > goto cleanup; ------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h ------- Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h 2c2 < * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved. 10c10 < #pragma ident "@(#)krb5.h 1.21 12/01/26 SMI" --- > #pragma ident "@(#)krb5.h 1.22 14/11/26 SMI" 3038a3039 > #define KRB5_KDB_POLICY_REF (-1780008408L) ----- Original Message ----- From: rt-comment@krbdev.mit.edu Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command The bug numbers for the two performance issues are #6799 and #7535. #6799 is the most important of the two, and should be easy to backport. http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799 https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14 8 http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535 https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77 a _______________________________________________ krb5-bugs mailing list krb5-bugs@mit.edu https://mailman.mit.edu/mailman/listinfo/krb5-bugs