Date: Tue, 02 Jun 2015 09:38:06 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 200589] Kerberos authentication slow in many processes simultaneously Message-ID: <bug-200589-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200589 Bug ID: 200589 Summary: Kerberos authentication slow in many processes simultaneously Product: Base System Version: 8.4-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: martin.beran@kernun.cz Our Kernun HTTP proxy performs Kerberos (Negotiate) authentication in Active Directory by calling gss_acquire_cred, gss_accept_sec_context. When there are many (several thousand) proxy processes authenticating simultaneously, authentication operation becomes slow. A probable cause is in the Kerberos library, which uses exclusive fcntl lock on the keytab file. It is slow when many processes are trying to obtain the lock simultaneously. Moreover, gss_acquire_cred reads the keytab file twice and gss_accept_sec_context once. Each reading of the keytab file consists of may read syscalls, each reading a few bytes. Maybe it would be more efficient to lock the keytab using a shared lock, or, optionally, not to lock it. Also, the keytab could be read by larger blocks, using fewer read syscalls. Observed with Heimdal Kerberos from the base system. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200589-8>