Return-Path: Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by krbdev.mit.edu (Postfix) with ESMTPS id B24B83F471 for ; Mon, 23 Feb 2015 16:01:34 -0500 (EST) Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t1NL1Xhx032676 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 23 Feb 2015 21:01:34 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t1NL1XaL020022 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 23 Feb 2015 21:01:33 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id t1NL1W93007134 for ; Mon, 23 Feb 2015 21:01:33 GMT MIME-Version: 1.0 Message-ID: <2fba4485-9dc2-4560-8a78-47c7824cb9ba@default> Date: Mon, 23 Feb 2015 13:01:32 -0800 (PST) From: Tsu-Phong Wu To: Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command X-Mailer: Zimbra on Oracle Beehive Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Source-Ip: aserv0022.oracle.com [141.146.126.234] RT-Send-Cc: Content-Length: 10057 Hi Greg, Have you got chance to look into further this RPC timeout issue for kadmin to retrieve lots of principals from LDAP backend? Thanks. Tsu-Phong ----- Original Message ----- From: rt-comment@krbdev.mit.edu Sent: Tuesday, February 3, 2015 12:40:45 PM GMT -08:00 US/Canada Pacific Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command Hi Greg, Sorry for taking so long to get back to you. Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12. There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements. I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10. Below is what I've gathered (with no other activity on LDAP or KDC): * It takes around 150 seconds to retrieve 54k principals on Solaris 10 * The above 2 improvements on Solaris 10 do not make any obvious difference * It takes 30 seconds to retrieve 22k principals on Solaris 11 Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply. Thanks for looking into this again. Tsu-Phong BTW, below is the diff for Solaris 10: ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 1c1 < #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI" --- > #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI" 32c32 < * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 2216,2241d2215 < /* We already know that the policy is inside the realm container. */ < if (polname) { < osa_policy_ent_t pwdpol; < int cnt=0; < krb5_timestamp last_pw_changed; < krb5_ui_4 pw_max_life; < < memset(&pwdpol, 0, sizeof(pwdpol)); < < if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) < goto cleanup; < pw_max_life = pwdpol->pw_max_life; < /* Solaris Kerberos: fix memory leak */ < krb5_ldap_free_password_policy(context, pwdpol); < < if (pw_max_life > 0) { < if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) < goto cleanup; < < if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { < if ((last_pw_changed + pw_max_life) < entry->pw_expiration) < entry->pw_expiration = last_pw_changed + pw_max_life; < } else < entry->pw_expiration = last_pw_changed + pw_max_life; < } < } ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 1c1 < #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI" --- > #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI" 33,34c33 < * Copyright 2007 Sun Microsystems, Inc. All rights reserved. < * Use is subject to license terms. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 205,209c204,209 < /* Get the reference count */ < pol_dn = ldap_get_dn(ld, ent); < st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", < (int *)&(pol_entry->policy_refcnt), ld); < ldap_memfree(pol_dn); --- > /* > * We don't store the policy refcnt, because principals might be maintained > * outside of kadmin. Instead, we will check for principal references when> * policies are deleted. > */ > pol_entry->policy_refcnt = 0; 334c334 < int mask = 0; --- > int mask = 0, refcount; 354a355,361 ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; :q [tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs ------- usr/src/lib/krb5/kadm5/srv/svr_policy.c ------- Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c 1c1 < #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI" --- > #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI" 25a26,28 > /* > * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. > */ 195,198c198,201 < if ((ret = krb5_db_delete_policy(handle->context, name))) < return ret; < else < return KADM5_OK; --- > ret = krb5_db_delete_policy(handle->context, name); > if (ret == KRB5_KDB_POLICY_REF) > ret = KADM5_POLICY_REF; > return (ret == 0) ? KADM5_OK : ret; ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 1c1 < #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI" --- > #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI" 32c32 < * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 2216,2241d2215 < /* We already know that the policy is inside the realm container. */ < if (polname) { < osa_policy_ent_t pwdpol; < int cnt=0; < krb5_timestamp last_pw_changed; < krb5_ui_4 pw_max_life; < < memset(&pwdpol, 0, sizeof(pwdpol)); < < if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0) < goto cleanup; < pw_max_life = pwdpol->pw_max_life; < /* Solaris Kerberos: fix memory leak */ < krb5_ldap_free_password_policy(context, pwdpol); < < if (pw_max_life > 0) { < if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0) < goto cleanup; < < if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) { < if ((last_pw_changed + pw_max_life) < entry->pw_expiration) < entry->pw_expiration = last_pw_changed + pw_max_life; < } else < entry->pw_expiration = last_pw_changed + pw_max_life; < } < } ------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c ------- Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c 1c1 < #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI" --- > #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI" 33,34c33 < * Copyright 2007 Sun Microsystems, Inc. All rights reserved. < * Use is subject to license terms. --- > * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved. 205,209c204,209 < /* Get the reference count */ < pol_dn = ldap_get_dn(ld, ent); < st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference", < (int *)&(pol_entry->policy_refcnt), ld); < ldap_memfree(pol_dn); --- > /* > * We don't store the policy refcnt, because principals might be maintained > * outside of kadmin. Instead, we will check for principal references when> * policies are deleted. > */ > pol_entry->policy_refcnt = 0; 334c334 < int mask = 0; --- > int mask = 0, refcount; 354a355,361 > > st = krb5_ldap_get_reference_count(context, policy_dn, > "krbPwdPolicyReference", &refcount, ld); > if (st == 0 && refcount != 0) > st = KRB5_KDB_POLICY_REF; > if (st != 0) > goto cleanup; ------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h ------- Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h 2c2 < * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved. --- > * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved. 10c10 < #pragma ident "@(#)krb5.h 1.21 12/01/26 SMI" --- > #pragma ident "@(#)krb5.h 1.22 14/11/26 SMI" 3038a3039 > #define KRB5_KDB_POLICY_REF (-1780008408L) ----- Original Message ----- From: rt-comment@krbdev.mit.edu Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command The bug numbers for the two performance issues are #6799 and #7535. #6799 is the most important of the two, and should be easy to backport. http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799 https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14 8 http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535 https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77 a _______________________________________________ krb5-bugs mailing list krb5-bugs@mit.edu https://mailman.mit.edu/mailman/listinfo/krb5-bugs _______________________________________________ krb5-bugs mailing list krb5-bugs@mit.edu https://mailman.mit.edu/mailman/listinfo/krb5-bugs