From owner-freebsd-bugs@FreeBSD.ORG Tue Jun 2 09:38:06 2015 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 391E487F for ; Tue, 2 Jun 2015 09:38:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 228CB1CF9 for ; Tue, 2 Jun 2015 09:38:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t529c6m3065808 for ; Tue, 2 Jun 2015 09:38:06 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 200589] Kerberos authentication slow in many processes simultaneously Date: Tue, 02 Jun 2015 09:38:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 8.4-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: martin.beran@kernun.cz X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2015 09:38:06 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200589 Bug ID: 200589 Summary: Kerberos authentication slow in many processes simultaneously Product: Base System Version: 8.4-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: martin.beran@kernun.cz Our Kernun HTTP proxy performs Kerberos (Negotiate) authentication in Active Directory by calling gss_acquire_cred, gss_accept_sec_context. When there are many (several thousand) proxy processes authenticating simultaneously, authentication operation becomes slow. A probable cause is in the Kerberos library, which uses exclusive fcntl lock on the keytab file. It is slow when many processes are trying to obtain the lock simultaneously. Moreover, gss_acquire_cred reads the keytab file twice and gss_accept_sec_context once. Each reading of the keytab file consists of may read syscalls, each reading a few bytes. Maybe it would be more efficient to lock the keytab using a shared lock, or, optionally, not to lock it. Also, the keytab could be read by larger blocks, using fewer read syscalls. Observed with Heimdal Kerberos from the base system. -- You are receiving this mail because: You are the assignee for the bug.