On 07/31/2012 12:27 AM, John Dennis wrote:

What is taking so long with session bookkeeping? I don't know yet. I would
need more timing instrumentation. I will say when I looked at the python-krb5
code (which we use to populate the ccache from the session and read back to
store in the session) seemed to be remarkably inefficient. We also elected to
use file based ccache rather than in-memory ccache (that means there is a bit
of file-IO occurring).

A note regarding python-krbV:
I used python-krbV extensively in my thesis for KDC stress test. Python-krbV can obtain several thousands of TGTs per second (even with ccache in a file). AFAIK VFS calls are not done synchronously. But others parts of python-krbV were left uncovered, so it can contain some surprises.

=== Wild speculation follows ===
1.5 second is incredibly long time, it sounds like some kind of timeout. Krb5 libs have usual timeout = 1 second per request.

Are all KDCs in /etc/krb5.conf alive and reachable? Is SSSD running on problematic server? Is proper KDC selected by SSSD KDC auto-locator plugin? (See /var/lib/sss/pubconf/)
=== End of wild speculations ===

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to