[Freeipa-devel] slow response
Petr Spacek
pspacek at redhat.com
Tue Jul 31 08:39:34 UTC 2012
On 07/31/2012 12:27 AM, John Dennis wrote:
>
> What is taking so long with session bookkeeping? I don't know yet. I would
> need more timing instrumentation. I will say when I looked at the python-krb5
> code (which we use to populate the ccache from the session and read back to
> store in the session) seemed to be remarkably inefficient. We also elected to
> use file based ccache rather than in-memory ccache (that means there is a bit
> of file-IO occurring).
A note regarding python-krbV:
I used python-krbV extensively in my thesis for KDC stress test. Python-krbV
can obtain several thousands of TGTs per second (even with ccache in a file).
AFAIK VFS calls are not done synchronously. But others parts of python-krbV
were left uncovered, so it can contain some surprises.
=== Wild speculation follows ===
1.5 second is incredibly long time, it sounds like some kind of timeout. Krb5
libs have usual timeout = 1 second per request.
Are all KDCs in /etc/krb5.conf alive and reachable? Is SSSD running on
problematic server? Is proper KDC selected by SSSD KDC auto-locator plugin?
(See /var/lib/sss/pubconf/)
=== End of wild speculations ===
Petr^2 Spacek
More information about the Freeipa-devel
mailing list