You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Tony Butt <tj...@cea.com.au> on 2007/03/28 02:20:47 UTC
mod_auth_krb and performance
We have been using subversion 1.3.2, mod_auth_krb 5.3 and apache 2.0.49
on a Suse Enterprise Linux (SLES) 9 box quite happily until recently.
Our authentication was done to Active Directory running on Windows 2000
Servers, and was used to authenticate our entire (internal) web site,
including http access to subversion.
Recently (last weekend), the windows servers were 'upgraded' to 2003 Server.
The first thing that happened is that mod_auth)_krb authentication broke
totally. It seems that 2003 Server now cares about the kvno of the
Kerberos keys. A day of work finally isolated this, we found a working
set of Kerberos keytabs, and all seemed well.
However...
A few hours later, my users reported very slow access to subversion, at
least an order of magnitude slower. Sniffing the net traffic with
ethereal showed that all seemed well, there were requests for
pre-authentication coming from the windows server, but this seemed
normal. What is not normal is that each authentication is taking in the
order of milliseconds to complete, which totally bogs down any
subversion access to the repository via http.
Does anyone have a mod_auth_krb setup working against Windows 2003
Servers which works efficiently? We have had to resort to a second
authentication scheme (ldap) for subversion, which was another saga in
itself...
Tony Butt
CEA Technologies,
Canberra Australia
Re: mod_auth_krb and performance
Posted by Tony Butt <tj...@cea.com.au>.
Samay wrote:
> G'day mate,
>
> seems weird. We haven't yet seen this slowness. We are using (RHEL4) &
> (Gentoo) Apache 2.0 etc with SPNego against AD 2003 (not R2).
>
> All our pain is due to bugs in Neon as regards connection resets after
> 5 minutes!
>
> Are u sure its not due to retries re encryption types, etc?
>
> cheers
>
> S.
>
>
Samay (and list)
The ethereal trace showed no retries, except for PreAuthentication required.
I will have another look now that the pressure is off, and see if I can
see anything else.
BTW, our Server 2003 is R2
Tony
>
> ----- Original Message -----
> From: "Tony Butt" <tj...@cea.com.au>
> To: <us...@subversion.tigris.org>
> Sent: Wednesday, March 28, 2007 12:20 PM
> Subject: mod_auth_krb and performance
>
>> We have been using subversion 1.3.2, mod_auth_krb 5.3 and apache 2.0.49
>> on a Suse Enterprise Linux (SLES) 9 box quite happily until recently.
>>
>> Our authentication was done to Active Directory running on Windows 2000
>> Servers, and was used to authenticate our entire (internal) web site,
>> including http access to subversion.
>>
>> Recently (last weekend), the windows servers were 'upgraded' to 2003
>> Server.
>> The first thing that happened is that mod_auth)_krb authentication broke
>> totally. It seems that 2003 Server now cares about the kvno of the
>> Kerberos keys. A day of work finally isolated this, we found a working
>> set of Kerberos keytabs, and all seemed well.
>>
>> However...
>> A few hours later, my users reported very slow access to subversion, at
>> least an order of magnitude slower. Sniffing the net traffic with
>> ethereal showed that all seemed well, there were requests for
>> pre-authentication coming from the windows server, but this seemed
>> normal. What is not normal is that each authentication is taking in the
>> order of milliseconds to complete, which totally bogs down any
>> subversion access to the repository via http.
>>
>> Does anyone have a mod_auth_krb setup working against Windows 2003
>> Servers which works efficiently? We have had to resort to a second
>> authentication scheme (ldap) for subversion, which was another saga in
>> itself...
>>
>> Tony Butt
>> CEA Technologies,
>> Canberra Australia
>>
>
>
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>