Check the list archives. I've sent example tools for cleaning up PAGs on
linux and hpux. I'm not sure, but it might be adaptable to hpux as well. On
linux it's real easy to clean up, on hpux I seem to remember it requiring
some brute force. (No easy way to determine the aux-groups of a process.)
-- Nathan
> -----Original Message-----
> From: David Thompson [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 12, 2000 9:26 AM
> To: Paul Blackburn
> Cc: [EMAIL PROTECTED]
> Subject: Re: help!!!
>
>
> Paul Blackburn wrote:
> >The problem with using AFS authentication on a popserver
> >is that, compared to local authentication, AFS authentication
> >takes much more resource and time. It involves connecting
> >to the AFS kaserver across the network.
> >
> >Typically, popserver users connect and login very frequently
> >(perhaps every minute) just to check if they have new mail.
> >All this login activity soon swamps a popserver that is
> >using AFS login authentication.
>
> It can be done, but you need to take into account the extra
> compute cycles you
> will need. As one data point, we run a dual 400MHz PII as a
> kpop server for
> ~2000 mail accounts (which get krb5 tickets as well as AFS
> tokens). Right now
> it runs about 80% CPU idle. I think by default users check
> mail every 5
> minutes. As always, YMMV.
>
> >One pragmatic solution I found was to change the login
> >authentication on the popserver from AFS to local
> >encrypted password) files.
> >
> >The upside of this is that suddenly the login process
> >is lightweight and much faster: the popserver is not
> >overwhelmed by login activity.
> >
> >The downside is that users now have another password
> >(the local one on the popserver) to remember and you
> >must provide a mechanism for users to change their
> >popserver local password.
> >
> >In any event, I would recommend you also look at using
> >an IMAP server instead of a POP server.
>
> IMAP helps the authentication situation significantly,
> because it creates
> persistent connections. Regardless of whether you do IMAP or
> POP, PAG cleanup
> is essential if you create a new PAG for each connection,
> which I would
> recommend. A moderately busy server will create thousands of
> PAGs a day,
> which will kill any amount of CPU you can throw at it if you
> don't do cleanup.
> Our IMAP server used PAM (a good thing), but didn't call the
> authentication
> destroy routines (a _very_ bad thing). 30,000 authenticated
> PAGs wandering
> around in your kernel REALLY REALLY sucks. xstat_cm_test is
> your friend for
> finding out things like this.
>
> Dave
>
