Menu Close

Chapter 7. Adjusting the performance of the KDC

The following sections describe how to adjust the performance of the Kerberos Key Distribution Center (KDC), which is responsible for authenticating users, hosts, and services.

7.1. Adjusting the length of the KDC listen queue

You can adjust the size of the listen queue length for the KDC daemon by setting the kdc_tcp_listen_backlog option in the [kdcdefaults] section of the /var/kerberos/krb5kdc/kdc.conf file. The default value of 5 may be too low for some IdM deployments that experience high amounts of Kerberos traffic, but setting this value too high degrades performance.

Default value

5

Valid range

1 - 10

Procedure

  1. Open the /var/kerberos/krb5kdc/kdc.conf file in a text editor.
  2. Set the TCP listen backlog to your desired value, such as 7.

    [kdcdefaults]
     ...
     kdc_tcp_listen_backlog = 7
  3. Save and close the /var/kerberos/krb5kdc/kdc.conf file.
  4. Restart the KDC to load the new settings.

7.2. Options controlling KDC behavior per realm

To track locking and unlocking user accounts for each Kerberos realm, the KDC writes to its database after each successful and failed authentication. By adjusting the following options in the [dbmodules] section of the /etc/krb5.conf file, you may be able to improve performance by minimizing how often the KDC writes information.

disable_last_success

If set to true, this option suppresses KDC updates to the Last successful authentication field of principal entries requiring preauthentication.

Default value

false

Valid range

true or false

disable_lockout

If set to true, this option suppresses KDC updates to the Last failed authentication and Failed password attempts fields of principal entries requiring preauthentication. Setting this flag may improve performance, but disabling account lockout may be considered a security risk.

Default value

false

Valid range

true or false

Additional resources

7.3. Adjusting KDC settings per realm

This procedure adjusts KDC behavior per Kerberos realm.

Procedure

  1. Open the /etc/krb5.conf file in a text editor.
  2. Specify any options and their desired values within the [dbmodules] section, and in the respective Kerberos realm. In this example, you are setting the disable_last_success variable for the EXAMPLE.COM Kerberos realm.

    [dbmodules]
        EXAMPLE.COM = {
            disable_last_success = true
        }
  3. Save and close the /etc/krb5.conf file.
  4. Restart the KDC to load the new settings.

7.4. Adjusting the number of krb5kdc processes

This procedure describes how to manually adjust the number of processes that the Key Distribution Center (KDC) starts to handle incoming connections.

By default, the IdM installer detects the number of CPU cores and enters the value in the /etc/sysconfig/krb5kdc file. For example, the file might contain the following entry:

KRB5KDC_ARGS='-w 2'
[...]

In this example, with the KRB5KDC_ARGS parameter set to -w 2, the KDC starts two separate processes to handle incoming connections from the main process. You might want to adjust this value, especially in virtual environments where you can easily add or remove the number of virtual CPUs based on your requirements. To prevent performance issues or even IdM servers becoming unresponsive due to an ever-increasing TCP/IP queue on port 88, simulate a higher number of processes by manually setting the KRB5KDC_ARGS parameter to a higher value.

Procedure

  1. Open the /etc/sysconfig/krb5kdc file in a text editor.
  2. Specify the value of the KRB5KDC_ARGS parameter. In this example, you are setting the number of processes to 10:

    KRB5KDC_ARGS='-w 10'
    [...]
  3. Save and close the /etc/sysconfig/krb5kdc file.
  4. Reload the systemd configuration:

    # systemctl daemon-reload
  5. Restart the krb5kdc service:

    # systemctl restart krb5kdc.service

7.5. Additional resources