On Tue, Jul 31, 2012 at 1:39 AM, Petr Spacek <pspa...@redhat.com> wrote:
> On 07/31/2012 12:27 AM, John Dennis wrote:
>> What is taking so long with session bookkeeping? I don't know yet. I would
>> need more timing instrumentation. I will say when I looked at the
>> python-krb5
>> code (which we use to populate the ccache from the session and read back
>> to
>> store in the session) seemed to be remarkably inefficient. We also elected
>> to
>> use file based ccache rather than in-memory ccache (that means there is a
>> bit
>> of file-IO occurring).
> A note regarding python-krbV:
> I used python-krbV extensively in my thesis for KDC stress test. Python-krbV
> can obtain several thousands of TGTs per second (even with ccache in a
> file). AFAIK VFS calls are not done synchronously. But others parts of
> python-krbV were left uncovered, so it can contain some surprises.
> === Wild speculation follows ===
> 1.5 second is incredibly long time, it sounds like some kind of timeout.
> Krb5 libs have usual timeout = 1 second per request.
> Are all KDCs in /etc/krb5.conf alive and reachable?

In this case, as I'm referring to the extreme slowness of the Web UI,
the KDC is on the same system (the ipa server) that is making the
request, correct?

> Is SSSD running on problematic server?

Yes. Again, I'm guessing the problematic server is the IPA server itself.

> Is proper KDC selected by SSSD KDC auto-locator plugin?
> (See /var/lib/sss/pubconf/)

Yes, I checked that file and it is the IP address of the IPA server on
the same server. Perhaps should this be instead?

I also have checked the resolv.conf file, and indeed the IP points to
the IPA server itself (same machine) as expected. Both forward and
reverse DNS work. I'm not really sure what else could be setup
incorrectly to cause any KDC slowness.

Due to the extreme UI slowness issue, I have not created any replicas
so this system is it. I'm not so sure I would be able to see the 1.5 s
delay if it weren't compounded by the overall slowness of the Web UI,
however, the KDC seems to perform well for other systems in the realm.
I'm certainly not taxing it with a huge load, but tickets seem to be
issued without delay.


Freeipa-devel mailing list

Reply via email to