- Original Message -
From: Chris Hecker [mailto:chec...@d6.com]
Sent: Tuesday, August 09, 2011 01:39 PM
To: kerberos@mit.edu
Subject: Re: Performance issues with krb5-1.9.1
Ah, yeah, my tests had krb5kdc at about 50% of one core (slapd was an
additional 15%), but it wasn't completely
unsubscribe
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of
kerberos-requ...@mit.edu
Sent: Tuesday, August 09, 2011 12:40 PM
To: kerberos@mit.edu
Subject: EXT :Kerberos Digest, Vol 104, Issue 11
Send Kerberos mailing list submissions to
On Tue, 2011-08-09 at 19:34 -0400, Chris Hecker wrote:
> I think I'm confused about the kvno, then. Is that because the KDC will
> always use the latest kvno, so the code just sends the latest it's got
> and hopes it works (and if not, it means the keytab needs updating)?
More or less. You hav
Ah, awesome, thanks!
I was deep in the KDC looking to see if it returned the client kvno
anywhere, and found this in do_as_req:
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP,
&reply_encpart,
0, as_encrypting_key,
On Tue, 2011-08-09 at 19:05 -0400, Chris Hecker wrote:
> However, I've hit a snag: when creating a keytab on the client using
> the code from ktutil as a reference, how do I know what kvno to use?
If you're only using the keytab with krb5_get_init_creds_keytab, then it
doesn't matter if you get
I never got a reply to this (presumably it was lost in the flurry of
other mails I send! :), but it seems like storing a keytab is the best
thing to do for this situation.
However, I've hit a snag: when creating a keytab on the client using
the code from ktutil as a reference, how do I know w
So, krb5_kt_resolve doesn't actually open the keytab, it defers the open
and just gets the ops set up. What's the best way to see if it's really
there and valid? It looks like I have to
krb5_kt_start_seq_get/krb5_kt_end_seq_get to actually get it opened?
I could just stat() the file, but tha
Under normal krb5 usage, services don't talk to the KDC, they just use a
keytab and deal with tickets. However, since I have my nifty allow_tix
patch allowing dynamic banning of clients, and my disallow_svr patch to
require u2u creds, what's the best way for a service to talk to the KDC
to se
Ah, yeah, my tests had krb5kdc at about 50% of one core (slapd was an
additional 15%), but it wasn't completely saturating the machine.
Glad the patch fixed it!
Chris
On 2011/08/09 07:13, Jonathan Reams wrote:
> Chris,
>
> We didn't actually see any problems either until the KDC was under heav
> kinit: Client not found in Kerberos database while getting initial
> credentials
Are you sure that you are using correct username (for kinit) which
exist in the new realm?
Please make sure that:
1. you are specifying correct username + realm name for getting
ticket. (e.g. kinit u...@newrealm.com)
Hi,
We have configured SSO using Kerberos with Apache Http Server.
The realms name are defined in krb5.conf.
We needed to add one more domain to krb5.conf file -
We have inserted new realm as -
xxx.xxx.COM = {
kdc =
admin_server =
}
But after executing
Hi,
We have configured SSO using Kerberos with Apache Http Server.
The realms name are defined in krb5.conf.
We needed to add one more domain to krb5.conf file -
We have inserted new realm as -
xxx.xxx.COM = {
kdc =
admin_server =
}
But
Chris,
We didn't actually see any problems either until the KDC was under heavy load.
The unpatched version of 1.9.1 was and still is running on our secondary KDC
without issue, and we had been using 1.9.1 in testing and development for
months without issue as well. During the period where we s
Hi Greg,
I applied this patch and saw a great improvement on our test KDC. I should
follow up and say that the performance degradation appeared to be compounded by
clients resubmitting their requests after they timed out, so the KDC wasn't
only handling new requests, it was trying to fulfill ol
On Tue, 2011-08-09 at 03:56 -0400, Chris Hecker wrote:
> Is service/129.168.1.5 a valid service principal?
Sure. It's not a principal that krb5_sname_to_principal() will
generally return, but if you're creating principal names yourself,
there's nothing invalid about that form.
Of course, you'd h
On Tue, 2011-08-09 at 03:44 -0400, Chris Hecker wrote:
> What's the in_data for on an AP-REQ/mk_req? It gets checksummed and
> stuffed in the authenticator, but it doesn't seem to be used anywhere
An application can use this to checksum some data which is sent along
with the authenticator reque
Just another data point: I'm not seeing this on my locally built (but
not with the attached patch) 1.9.1:
real0m41.409s
user0m3.358s
sys 0m3.683s
finished round 1
real0m35.036s
user0m3.441s
sys 0m3.658s
finished round 2
real0m44.344s
user0m3.363s
sys 0m3.72
I want to have a UDP broadcast for the local subnet that looks for
services on machines that won't necessarily have a hostname in any
meaningful way (in other words, they'll have a hostname, but it's not
going to be in any kind of DNS, so I'll be connecting by raw IP), and
potentially a servic
What's the in_data for on an AP-REQ/mk_req? It gets checksummed and
stuffed in the authenticator, but it doesn't seem to be used anywhere
(although I might be missing something). The sim_client.c file passes
the hostname in for the in_data, but sim_server.c ignores
auth_context->authentp->ch
19 matches
Mail list logo