negotiate protocol taking more than 700mS in recent versions of Samba
Andrew Bartlett
abartlet at samba.org
Thu May 5 18:39:11 UTC 2016
On Mon, 2016-05-02 at 08:40 -0700, Richard Sharpe wrote:
> Hi folks,
>
> While running some FSCT testing we found that NegProt was taking more
> than 700mS, most of it in gensec.
>
> It seems that we are generating a keytab with keys for all the enc
> types.
>
> Our initial solution was to cache the result from the first such
> call,
> however, this needs to be done carefully because of machine account
> password changes.
>
> Are there any better approaches?
A cache of of the keytab on disk would be very good. To avoid the
cache coherency issues and in particular to support ctdb replication of
the machine account pw, I suggest keying off the arcfour-hmac-md5 key.
That is, md4(unicode(pw)) is cheap, so just fetch the keys from the
keytab, and ensure they match the old and new passwords with that.
This, combined with some patches our team at Catalyst were exploring to
use a krb5 ccache should save us a *lot* of time in make test, as over
the whole test we spend about 10% of the CPU time in sha1()!
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list