Chapter 7. Adjusting the performance of the KDC
The following sections describe how to adjust the performance of the Kerberos Key Distribution Center (KDC), which is responsible for authenticating users, hosts, and services.
7.1. Options controlling general KDC behavior
You can adjust general KDC behavior by setting the following options in the [kdcdefaults]
section of the /var/kerberos/krb5kdc/kdc.conf
file.
- kdc_tcp_listen_backlog
This option sets the size of the listen queue length for the KDC daemon. The default value of
5
may be too low for some IdM deployments that experience high amounts of Kerberos traffic, but setting this value too high will degrade performance.Default value
5
Valid range
1 - 10
7.2. Adjusting general KDC settings
This procedure adjusts general KDC behavior.
Procedure
-
Open the
/var/kerberos/krb5kdc/kdc.conf
file in a text editor. Specify any options and their desired values within the
[kdcdefaults]
section. In this example, you are setting the TCP listen backlog to7
.[kdcdefaults] ... kdc_tcp_listen_backlog = 7
-
Save and close the
/var/kerberos/krb5kdc/kdc.conf
file. - Restart the KDC to load the new settings.
7.3. Options controlling KDC behavior per realm
To track locking and unlocking user accounts for each Kerberos realm, the KDC writes to its database after each successful and failed authentication. By adjusting the following options in the [dbmodules]
section of the /etc/krb5.conf
file, you may be able to improve performance by minimizing how often the KDC writes information.
- disable_last_success
If set to
true
, this option suppresses KDC updates to theLast successful authentication
field of principal entries requiring preauthentication.Default value
false
Valid range
true
orfalse
- disable_lockout
If set to
true
, this option suppresses KDC updates to theLast failed authentication
andFailed password attempts
fields of principal entries requiring preauthentication. Setting this flag may improve performance, but disabling account lockout may be considered a security risk.Default value
false
Valid range
true
orfalse
7.4. Adjusting KDC settings per realm
This procedure adjusts KDC behavior per Kerberos realm.
Procedure
-
Open the
/etc/krb5.conf
file in a text editor. Specify any options and their desired values within the
[dbmodules]
section, and in the respective Kerberos realm. In this example, you are setting thedisable_last_success
variable for theEXAMPLE.COM
Kerberos realm.[dbmodules] EXAMPLE.COM = { disable_last_success = true }
-
Save and close the
/etc/krb5.conf
file. - Restart the KDC to load the new settings.
7.5. Additional resources
-
For more information on additional
kdc.conf
options, see MIT Kerberos Documentation - kdc.conf.