Upgrading to the latest krb5 works. Thanks,
Serey On Mon, Sep 24, 2012 at 11:00 PM, Greg Hudson <[email protected]> wrote: > On 09/24/2012 05:13 PM, Sereyvathana Ty wrote: > > Without the policy, I was able to > > receive response from the KDC very fast (almost like using the flat > > database). With the policy, it takes about 1.5 second (avg over 1000 > > tries). This kdc is running in a VM with 2 cpus and 4 gig of rams. > > This should be better in MIT krb5 1.9 or later. In krb5 1.8 and prior, > fetching password policies was very slow with large KDBs because the > module would scan all principals in order to populate a reference count > field. > > It looks like CentOS 6.1 and later have krb5 1.9, but CentOS 6.0 (which > I think is no longer receiving updates) has 1.8. > > > For example, ‘listprincs’ command would take > > about one hour to return. > > This appears to be a related problem and should also be better in MIT > krb5 1.9, although you wouldn't immediately think that listprincs would > retrieving policy entries. The LDAP back end appears to dynamically > calculate a principal's password expiration at lookup time using the > principal's policy entry and its last password change time. > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
