Have you got chance to look into further this RPC timeout issue for kadmin to retrieve lots of principals from LDAP backend?
Thanks.
----- Original Message -----
From: rt-comment@krbdev.mit.edu
Sent: Tuesday, February 3, 2015 12:40:45 PM GMT -08:00 US/Canada Pacific
Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
Hi Greg,
Sorry for taking so long to get back to you.
Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12.
There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements.
I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10.
Below is what I've gathered (with no other activity on LDAP or KDC):
* It takes around 150 seconds to retrieve 54k principals on Solaris 10
* The above 2 improvements on Solaris 10 do not make any obvious difference
* It takes 30 seconds to retrieve 22k principals on Solaris 11
Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply.
Thanks for looking into this again.
Tsu-Phong
BTW, below is the diff for Solaris 10:
------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------
Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt))
!= 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
> int mask = 0, refcount;
354a355,361
------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------
Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
:q
[tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs
------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------
Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }
------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------
Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
> int mask = 0, refcount;
354a355,361
>
> st = krb5_ldap_get_reference_count(context, policy_dn,
> "krbPwdPolicyReference", &refcount, ld);
> if (st == 0 && refcount != 0)
> st = KRB5_KDB_POLICY_REF;
> if (st != 0)
> goto cleanup;
------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h -------
Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
2c2
< * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
10c10
< #pragma ident "@(#)krb5.h 1.21 12/01/26 SMI"
---
> #pragma ident "@(#)krb5.h 1.22 14/11/26 SMI"
3038a3039
> #define KRB5_KDB_POLICY_REF (-1780008408L)