Chapter 7. Adjusting the performance of the KDC

The following sections describe how to adjust the performance of the Kerberos Key Distribution Center (KDC), which is responsible for authenticating users, hosts, and services.

7.1. Options controlling general KDC behavior

You can adjust general KDC behavior by setting the following options in the [kdcdefaults] section of the /var/kerberos/krb5kdc/kdc.conf file.

kdc_tcp_listen_backlog

This option sets the size of the listen queue length for the KDC daemon. The default value of 5 may be too low for some IdM deployments that experience high amounts of Kerberos traffic, but setting this value too high will degrade performance.

Default value

5

Valid range

1 - 10

7.2. Adjusting general KDC settings

This procedure adjusts general KDC behavior.

Procedure

  1. Open the /var/kerberos/krb5kdc/kdc.conf file in a text editor.
  2. Specify any options and their desired values within the [kdcdefaults] section. In this example, you are setting the TCP listen backlog to 7.

    [kdcdefaults]
     ...
     kdc_tcp_listen_backlog = 7
  3. Save and close the /var/kerberos/krb5kdc/kdc.conf file.
  4. Restart the KDC to load the new settings.

7.3. Options controlling KDC behavior per realm

To track locking and unlocking user accounts for each Kerberos realm, the KDC writes to its database after each successful and failed authentication. By adjusting the following options in the [dbmodules] section of the /etc/krb5.conf file, you may be able to improve performance by minimizing how often the KDC writes information.

disable_last_success

If set to true, this option suppresses KDC updates to the Last successful authentication field of principal entries requiring preauthentication.

Default value

false

Valid range

true or false

disable_lockout

If set to true, this option suppresses KDC updates to the Last failed authentication and Failed password attempts fields of principal entries requiring preauthentication. Setting this flag may improve performance, but disabling account lockout may be considered a security risk.

Default value

false

Valid range

true or false

7.4. Adjusting KDC settings per realm

This procedure adjusts KDC behavior per Kerberos realm.

Procedure

  1. Open the /etc/krb5.conf file in a text editor.
  2. Specify any options and their desired values within the [dbmodules] section, and in the respective Kerberos realm. In this example, you are setting the disable_last_success variable for the EXAMPLE.COM Kerberos realm.

    [dbmodules]
        EXAMPLE.COM = {
            disable_last_success = true
        }
  3. Save and close the /etc/krb5.conf file.
  4. Restart the KDC to load the new settings.

7.5. Additional resources