[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_auth_krb and performance

From: Tony Butt <tjb_at_cea.com.au>
Date: 2007-03-28 05:26:31 CEST

Samay wrote:
> G'day mate,
>
> seems weird. We haven't yet seen this slowness. We are using (RHEL4) &
> (Gentoo) Apache 2.0 etc with SPNego against AD 2003 (not R2).
>
> All our pain is due to bugs in Neon as regards connection resets after
> 5 minutes!
>
> Are u sure its not due to retries re encryption types, etc?
>
> cheers
>
> S.
>
>
Samay (and list)
The ethereal trace showed no retries, except for PreAuthentication required.
I will have another look now that the pressure is off, and see if I can
see anything else.
BTW, our Server 2003 is R2

Tony
>
> ----- Original Message -----
> From: "Tony Butt" <tjb@cea.com.au>
> To: <users@subversion.tigris.org>
> Sent: Wednesday, March 28, 2007 12:20 PM
> Subject: mod_auth_krb and performance
>
>> We have been using subversion 1.3.2, mod_auth_krb 5.3 and apache 2.0.49
>> on a Suse Enterprise Linux (SLES) 9 box quite happily until recently.
>>
>> Our authentication was done to Active Directory running on Windows 2000
>> Servers, and was used to authenticate our entire (internal) web site,
>> including http access to subversion.
>>
>> Recently (last weekend), the windows servers were 'upgraded' to 2003
>> Server.
>> The first thing that happened is that mod_auth)_krb authentication broke
>> totally. It seems that 2003 Server now cares about the kvno of the
>> Kerberos keys. A day of work finally isolated this, we found a working
>> set of Kerberos keytabs, and all seemed well.
>>
>> However...
>> A few hours later, my users reported very slow access to subversion, at
>> least an order of magnitude slower. Sniffing the net traffic with
>> ethereal showed that all seemed well, there were requests for
>> pre-authentication coming from the windows server, but this seemed
>> normal. What is not normal is that each authentication is taking in the
>> order of milliseconds to complete, which totally bogs down any
>> subversion access to the repository via http.
>>
>> Does anyone have a mod_auth_krb setup working against Windows 2003
>> Servers which works efficiently? We have had to resort to a second
>> authentication scheme (ldap) for subversion, which was another saga in
>> itself...
>>
>> Tony Butt
>> CEA Technologies,
>> Canberra Australia
>>
>
>
>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Wed Mar 28 05:27:57 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.