Chapter 8. Adjusting the performance of the KDC
The following sections describe how to adjust the performance of the Kerberos Key Distribution Center (KDC), which is responsible for authenticating users, hosts, and services.
8.1. Adjusting the length of the KDC listen queue
You can adjust the size of the listen queue length for the KDC daemon by setting the kdc_tcp_listen_backlog
option in the [kdcdefaults]
section of the /var/kerberos/krb5kdc/kdc.conf
file. The default value of 5
may be too low for some IdM deployments that experience high amounts of Kerberos traffic, but setting this value too high degrades performance.
Default value |
|
Valid range |
|
Procedure
-
Open the
/var/kerberos/krb5kdc/kdc.conf
file in a text editor. Set the TCP listen backlog to your desired value, such as
7
.[kdcdefaults] ... kdc_tcp_listen_backlog = 7
-
Save and close the
/var/kerberos/krb5kdc/kdc.conf
file. - Restart the KDC to load the new settings.
8.2. Options controlling KDC behavior per realm
To track locking and unlocking user accounts for each Kerberos realm, the KDC writes to its database after each successful and failed authentication. By adjusting the following options in the [dbmodules]
section of the /etc/krb5.conf
file, you may be able to improve performance by minimizing how often the KDC writes information.
- disable_last_success
If set to
true
, this option suppresses KDC updates to theLast successful authentication
field of principal entries requiring preauthentication.Default value
false
Valid range
true
orfalse
- disable_lockout
If set to
true
, this option suppresses KDC updates to theLast failed authentication
andFailed password attempts
fields of principal entries requiring preauthentication. Setting this flag may improve performance, but disabling account lockout may be considered a security risk.Default value
false
Valid range
true
orfalse
Additional resources
8.3. Adjusting KDC settings per realm
This procedure adjusts KDC behavior per Kerberos realm.
Procedure
-
Open the
/etc/krb5.conf
file in a text editor. Specify any options and their desired values within the
[dbmodules]
section, and in the respective Kerberos realm. In this example, you are setting thedisable_last_success
variable for theEXAMPLE.COM
Kerberos realm.[dbmodules] EXAMPLE.COM = { disable_last_success = true }
-
Save and close the
/etc/krb5.conf
file. - Restart the KDC to load the new settings.
Additional resources
8.4. Adjusting the number of krb5kdc
processes
Follow this procedure to manually adjust the number of processes that the Key Distribution Center (KDC) starts to handle incoming connections.
By default, the IdM installer detects the number of CPU cores and enters the value in the /etc/sysconfig/krb5kdc
file. For example, the file might contain the following entry:
KRB5KDC_ARGS='-w 2' [...]
In this example, with the KRB5KDC_ARGS
parameter set to -w 2
, the KDC starts two separate processes to handle incoming connections from the main process. You might want to adjust this value, especially in virtual environments where you can easily add or remove the number of virtual CPUs based on your requirements. To prevent performance issues or even IdM servers becoming unresponsive due to an ever-increasing TCP/IP queue on port 88, simulate a higher number of processes by manually setting the KRB5KDC_ARGS
parameter to a higher value.
Procedure
-
Open the
/etc/sysconfig/krb5kdc
file in a text editor. Specify the value of the
KRB5KDC_ARGS
parameter. In this example, you are setting the number of processes to 10:KRB5KDC_ARGS='-w 10' [...]
-
Save and close the
/etc/sysconfig/krb5kdc
file. Reload the systemd configuration:
# systemctl daemon-reload
Restart the
krb5kdc
service:# systemctl restart krb5kdc.service
You can use the IdM Healthcheck utility to verify that the KDC is configured to use the optimal number of worker processes. See Verifying the optimal number of KDC worker processes using IdM Healthcheck.