mod_auth_krb and performance

[Tony Butt <tj...@cea.com.au>]

We have been using subversion 1.3.2, mod_auth_krb 5.3  and apache 2.0.49 
on a Suse Enterprise Linux (SLES) 9 box quite happily until recently.

Our authentication was done to Active Directory running on Windows 2000 
Servers, and was used to authenticate our entire (internal) web site, 
including http access to subversion.

Recently (last weekend), the windows servers were 'upgraded' to 2003 Server.
The first thing that happened is that mod_auth)_krb authentication broke 
totally. It seems that 2003 Server now cares about the kvno of the 
Kerberos keys. A day of work finally isolated this, we found a working 
set of Kerberos keytabs, and all seemed well.

However...
A few hours later, my users reported very slow access to subversion, at 
least an order of magnitude slower. Sniffing the net traffic with 
ethereal showed that all seemed well, there were requests for 
pre-authentication coming from the windows server, but this seemed 
normal. What is not normal is that each authentication is taking in the 
order of milliseconds to complete, which totally bogs down any 
subversion access to the repository via http.

Does anyone have a mod_auth_krb setup working against Windows 2003 
Servers which works efficiently? We have had to resort to a second 
authentication scheme (ldap) for subversion, which was another saga in 
itself...

Tony Butt
CEA Technologies,
Canberra Australia

Re: mod_auth_krb and performance

[Tony Butt <tj...@cea.com.au>]

Samay wrote:
> G'day mate,
>
> seems weird. We haven't yet seen this slowness. We are using (RHEL4) & 
> (Gentoo) Apache 2.0 etc with SPNego against AD 2003 (not R2).
>
> All our pain is due to bugs in Neon as regards connection resets after 
> 5 minutes!
>
> Are u sure its not due to retries re encryption types, etc?
>
> cheers
>
> S.
>
>
Samay (and list)
The ethereal trace showed no retries, except for PreAuthentication required.
I will have another look now that the pressure is off, and see if I can 
see anything else.
BTW, our Server 2003 is R2

Tony
>
> ----- Original Message -----
> From: "Tony Butt" <tj...@cea.com.au>
> To: <us...@subversion.tigris.org>
> Sent: Wednesday, March 28, 2007 12:20 PM
> Subject:  mod_auth_krb and performance
>
>> We have been using subversion 1.3.2, mod_auth_krb 5.3  and apache 2.0.49
>> on a Suse Enterprise Linux (SLES) 9 box quite happily until recently.
>>
>> Our authentication was done to Active Directory running on Windows 2000
>> Servers, and was used to authenticate our entire (internal) web site,
>> including http access to subversion.
>>
>> Recently (last weekend), the windows servers were 'upgraded' to 2003 
>> Server.
>> The first thing that happened is that mod_auth)_krb authentication broke
>> totally. It seems that 2003 Server now cares about the kvno of the
>> Kerberos keys. A day of work finally isolated this, we found a working
>> set of Kerberos keytabs, and all seemed well.
>>
>> However...
>> A few hours later, my users reported very slow access to subversion, at
>> least an order of magnitude slower. Sniffing the net traffic with
>> ethereal showed that all seemed well, there were requests for
>> pre-authentication coming from the windows server, but this seemed
>> normal. What is not normal is that each authentication is taking in the
>> order of milliseconds to complete, which totally bogs down any
>> subversion access to the repository via http.
>>
>> Does anyone have a mod_auth_krb setup working against Windows 2003
>> Servers which works efficiently? We have had to resort to a second
>> authentication scheme (ldap) for subversion, which was another saga in
>> itself...
>>
>> Tony Butt
>> CEA Technologies,
>> Canberra Australia
>>
>
>
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org 
>