Skip Menu |
 

Date: Wed, 15 Oct 2014 22:19:36 -0700 (PDT)
From: Tsu-Phong Wu <tsu-phong.wu@oracle.com>
To: <krb5-bugs@mit.edu>
Subject: Client RPC timeout during kadmin listprincs command
Hi,

One of our customer has a KDC with LDAP backend on separate machine.
The customer runs into RPC timeout while kadmin tries to retrieve 100k principles:

kadmin -p admin/admin -w password -q listprincs
get_principals: Communication failure with server while retrieving list.

The default 120 seconds client RPC timeout is not sufficient for 100k or more principles.
Increasing the default timer to a higher value may have negative impacts on responsiveness of clients and fail-over.

Should there be a configurable value in the client profile or a more adaptable algorithm?

Thanks.
Tsu-Phong
Before we commit to changing the default or making it configurable, I would
like to know what version of Kerberos is being used on the back end. Prior
to release 1.9, the LDAP KDB module takes O(N^2) time to iterate over N
principals due to a combination of questionable design features. It is
possible that retrieving even a hundred thousand principal names could be
done in less than 120 seconds without this bug.

If we do need to make a change, I would suggest using a very long timeout
or (if possible) disable the timeout entirely. Since kadmin runs over TCP,
there isn't really a strong need to time out if kadmind takes a long time
to respond.
Date: Thu, 23 Oct 2014 12:13:21 -0700 (PDT)
From: Tsu-Phong Wu <tsu-phong.wu@oracle.com>
To: <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.2KiB
Thanks for the reply.

Our current version is 1.8.6 (and an older version 1.4 something) and apparently we'll have issues there.

Is there a bug# on this LDAP KDB performance and do you happen to know how big the effort is to port it to pre-1.9?

Thanks.
Tsu-Phong

Show quoted text
----- Original Message -----
From: rt-comment@krbdev.mit.edu
Sent: Tuesday, October 21, 2014 11:44:54 AM GMT -08:00 US/Canada Pacific
Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

Before we commit to changing the default or making it configurable, I would
like to know what version of Kerberos is being used on the back end. Prior
to release 1.9, the LDAP KDB module takes O(N^2) time to iterate over N
principals due to a combination of questionable design features. It is
possible that retrieving even a hundred thousand principal names could be
done in less than 120 seconds without this bug.

If we do need to make a change, I would suggest using a very long timeout
or (if possible) disable the timeout entirely. Since kadmin runs over TCP,
there isn't really a strong need to time out if kadmind takes a long time
to respond.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Date: Sun, 26 Oct 2014 08:40:04 -0700 (PDT)
From: Tsu-Phong Wu <tsu-phong.wu@oracle.com>
To: <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
RT-Send-Cc:
Will port them and get back to you whether it works for 100k - 150k principals.

Thanks.
Tsu-Phong

Show quoted text
----- Original Message -----
From: rt-comment@krbdev.mit.edu
Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific
Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

The bug numbers for the two performance issues are #6799 and #7535. #6799
is the most important of the two, and should be easy to backport.

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799
https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14
8

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535
https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77
a
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Date: Tue, 3 Feb 2015 12:40:02 -0800 (PST)
From: Tsu-Phong Wu <tsu-phong.wu@oracle.com>
To: <rt-comment@krbdev.mit.edu>
CC: Tsu-phong Wu <tsu-phong.wu@oracle.com>
Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
RT-Send-Cc:
Download (untitled) / with headers
text/plain 9.3KiB
Hi Greg,

Sorry for taking so long to get back to you.

Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12.
There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements.

I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10.

Below is what I've gathered (with no other activity on LDAP or KDC):

* It takes around 150 seconds to retrieve 54k principals on Solaris 10
* The above 2 improvements on Solaris 10 do not make any obvious difference
* It takes 30 seconds to retrieve 22k principals on Solaris 11

Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply.

Thanks for looking into this again.

Tsu-Phong

BTW, below is the diff for Solaris 10:

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
Show quoted text
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
Show quoted text
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
Show quoted text
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
Show quoted text
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
Show quoted text
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt))
!= 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
Show quoted text
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
Show quoted text
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
Show quoted text
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
Show quoted text
> int mask = 0, refcount;
354a355,361

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
Show quoted text
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
Show quoted text
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
Show quoted text
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
:q
[tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
Show quoted text
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
Show quoted text
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
Show quoted text
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
Show quoted text
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
Show quoted text
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
Show quoted text
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
Show quoted text
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
Show quoted text
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
Show quoted text
> int mask = 0, refcount;
354a355,361
Show quoted text
>
> st = krb5_ldap_get_reference_count(context, policy_dn,
> "krbPwdPolicyReference", &refcount, ld);
> if (st == 0 && refcount != 0)
> st = KRB5_KDB_POLICY_REF;
> if (st != 0)
> goto cleanup;

------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h -------

Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
2c2
< * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
---
Show quoted text
> * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
10c10
< #pragma ident "@(#)krb5.h 1.21 12/01/26 SMI"
---
Show quoted text
> #pragma ident "@(#)krb5.h 1.22 14/11/26 SMI"
3038a3039
Show quoted text
> #define KRB5_KDB_POLICY_REF (-1780008408L)

Show quoted text
----- Original Message -----
From: rt-comment@krbdev.mit.edu
Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific
Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

The bug numbers for the two performance issues are #6799 and #7535. #6799
is the most important of the two, and should be easy to backport.

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799
https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14
8

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535
https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77
a
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Date: Mon, 23 Feb 2015 13:01:32 -0800 (PST)
From: Tsu-Phong Wu <tsu-phong.wu@oracle.com>
To: <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command
RT-Send-Cc:
Download (untitled) / with headers
text/plain 9.8KiB
Hi Greg,

Have you got chance to look into further this RPC timeout issue for kadmin to retrieve lots of principals from LDAP backend?

Thanks.
Tsu-Phong

Show quoted text
----- Original Message -----
From: rt-comment@krbdev.mit.edu
Sent: Tuesday, February 3, 2015 12:40:45 PM GMT -08:00 US/Canada Pacific
Subject: Re: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

Hi Greg,

Sorry for taking so long to get back to you.

Oracle currently is running 1.6.0 on Solaris 10 and 1.8.3 on Solaris 11 & 12.
There is not much code base difference between Solaris 10 and Solaris 11 for the above 2 improvements.

I'm focusing on Solaris 10 as the customer's requirement is for 150k principals on Solaris 10.

Below is what I've gathered (with no other activity on LDAP or KDC):

* It takes around 150 seconds to retrieve 54k principals on Solaris 10
* The above 2 improvements on Solaris 10 do not make any obvious difference
* It takes 30 seconds to retrieve 22k principals on Solaris 11

Sounds to me disabling the RPC timeout is a simple fix as mentioned in your earlier reply.

Thanks for looking into this again.

Tsu-Phong

BTW, below is the diff for Solaris 10:

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt))
!= 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
> int mask = 0, refcount;
354a355,361

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;
:q
[tsuwu]scapen-cbe10-0:/scratch/tsuwu/147147-26_kdb{277} % cat pdiffs

------- usr/src/lib/krb5/kadm5/srv/svr_policy.c -------

Index: usr/src/lib/krb5/kadm5/srv/svr_policy.c
1c1
< #pragma ident "@(#)svr_policy.c 1.2 07/11/14 SMI"
---
> #pragma ident "@(#)svr_policy.c 1.3 14/11/26 SMI"
25a26,28
> /*
> * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
> */
195,198c198,201
< if ((ret = krb5_db_delete_policy(handle->context, name)))
< return ret;
< else
< return KADM5_OK;
---
> ret = krb5_db_delete_policy(handle->context, name);
> if (ret == KRB5_KDB_POLICY_REF)
> ret = KADM5_POLICY_REF;
> return (ret == 0) ? KADM5_OK : ret;

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
1c1
< #pragma ident "@(#)ldap_misc.c 1.4 11/02/11 SMI"
---
> #pragma ident "@(#)ldap_misc.c 1.5 14/11/26 SMI"
32c32
< * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
2216,2241d2215
< /* We already know that the policy is inside the realm container. */
< if (polname) {
< osa_policy_ent_t pwdpol;
< int cnt=0;
< krb5_timestamp last_pw_changed;
< krb5_ui_4 pw_max_life;
<
< memset(&pwdpol, 0, sizeof(pwdpol));
<
< if ((st=krb5_ldap_get_password_policy(context, polname, &pwdpol, &cnt)) != 0)
< goto cleanup;
< pw_max_life = pwdpol->pw_max_life;
< /* Solaris Kerberos: fix memory leak */
< krb5_ldap_free_password_policy(context, pwdpol);
<
< if (pw_max_life > 0) {
< if ((st=krb5_dbe_lookup_last_pwd_change(context, entry, &last_pw_changed)) != 0)
< goto cleanup;
<
< if ((mask & KDB_PWD_EXPIRE_TIME_ATTR) == 1) {
< if ((last_pw_changed + pw_max_life) < entry->pw_expiration)
< entry->pw_expiration = last_pw_changed + pw_max_life;
< } else
< entry->pw_expiration = last_pw_changed + pw_max_life;
< }
< }

------- usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c -------

Index: usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
1c1
< #pragma ident "@(#)ldap_pwd_policy.c 1.1 07/11/14 SMI"
---
> #pragma ident "@(#)ldap_pwd_policy.c 1.2 14/11/26 SMI"
33,34c33
< * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
< * Use is subject to license terms.
---
> * Copyright (c) 2007, 2014, Oracle and/or its affiliates. All rights reserved.
205,209c204,209
< /* Get the reference count */
< pol_dn = ldap_get_dn(ld, ent);
< st = krb5_ldap_get_reference_count (context, pol_dn, "krbPwdPolicyReference",
< (int *)&(pol_entry->policy_refcnt), ld);
< ldap_memfree(pol_dn);
---
> /*
> * We don't store the policy refcnt, because principals might be maintained
> * outside of kadmin. Instead, we will check for principal references when> * policies are deleted.
> */
> pol_entry->policy_refcnt = 0;
334c334
< int mask = 0;
---
> int mask = 0, refcount;
354a355,361
>
> st = krb5_ldap_get_reference_count(context, policy_dn,
> "krbPwdPolicyReference", &refcount, ld);
> if (st == 0 && refcount != 0)
> st = KRB5_KDB_POLICY_REF;
> if (st != 0)
> goto cleanup;

------- usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h -------

Index: usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
2c2
< * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
---
> * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
10c10
< #pragma ident "@(#)krb5.h 1.21 12/01/26 SMI"
---
> #pragma ident "@(#)krb5.h 1.22 14/11/26 SMI"
3038a3039
> #define KRB5_KDB_POLICY_REF (-1780008408L)

----- Original Message -----
From: rt-comment@krbdev.mit.edu
Sent: Thursday, October 23, 2014 12:25:32 PM GMT -08:00 US/Canada Pacific
Subject: [krbdev.mit.edu #8027] Client RPC timeout during kadmin listprincs command

The bug numbers for the two performance issues are #6799 and #7535. #6799
is the most important of the two, and should be easy to backport.

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6799
https://github.com/krb5/krb5/commit/5a28daefe46c1592936115a7b6c9c9b97957b14
8

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7535
https://github.com/krb5/krb5/commit/090f561c631db7e4970b71cbe1426d636c39c77
a
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Download (untitled) / with headers
text/plain 1.5KiB
It might be best to avoid quoting large portions of the existing
thread when replying to krb5-bugs messages; it harder to read the web
display of the ticket.

I took a look at the relevant code today. My findings are:

* clnt_tcp.c always calls select() with a non-null timeout parameter.
So it would be easier to raise the timeout value to a large number
than it would be to eliminate the timeout entirely.

* The currently operative timeout comes from the "TIMEOUT" variable
(not a macro, despite the all-caps name) in
lib/kadm5/clnt/client_rpc.c.

* This value could be overridden by calling clnt_control() with
CLSET_TIMEOUT on the client handle in client_init.c.

* As a side note, the generic clnt_create() calls clnt_control() with
CLSET_TIMEOUT on the resulting handle, which is mystifying since it
defeats the purpose of remembering whether the caller wanted to
override the default timeout or not. Other RPC implementations
(libtirpc, OpenSolaris) don't appear to do this. This doesn't really
matter since we don't use clnt_create() in kadmin; we call
clnttcp_create() directly.

* The hardcoded timeout used to be 25 seconds. We changed it to 120
seconds (in both client_rpc.c and clnt_generic.c) in release 1.7.

My plan is:

* In one commit, add a call to clnt_control() in client_init.c
changing the timeout to 3600 seconds.

* In a second commit, revert the TMIEOUT variable in client_rpc.c to
25 (to match what rpcgen originally regenerated) and remove the calls
to clnt_control() in clnt_generic.c. This won't have any significant
practical effect and is just for hygiene.
From: ghudson@mit.edu
Subject: git commit

Extend kadmin client timeout to one hour

Retrieving the list of principals can take a long time for some
databases. Extend the libkadm5 client timeout from two minutes to one
hour. (We can't easily remove the timeout entirely.)

https://github.com/krb5/krb5/commit/11f0cf7928b239be45c5d3cb7e2eccd2ff1e1bfc
Author: Greg Hudson <ghudson@mit.edu>
Commit: 11f0cf7928b239be45c5d3cb7e2eccd2ff1e1bfc
Branch: master
src/lib/kadm5/clnt/client_init.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)