Description of problem:
in krb5.spec --with-crypto-impl is not specified, resulting in --with-crypto-impl=builtin. The builtin routines seem rather slow and CPU intensive. Adding --with-crypto-impl=openssl can reduce processing time by ca. 50%
Version-Release number of selected component (if applicable):
One affected application is samba server joined to AD, where connection setup with kerberos is slowed down. The following was run against VMWare server with 2 CPUs.
for i in `seq 1 10` ; do time smbclient //someserverinad/someshare -k -c exit & sleep .1 ; done
Load on samaba server goes up, responses take up to 8 seconds.
perf top shows excessive CPU usage by:
17.26% libk5crypto.so.3.1 [.] k5_sha256_update
After rebuilding krb5-libs with configure option --with-crypto-impl=openssl response times go down to 4 seconds.
openssl already is a requisite for krb5-libs, so adding this option should not have any impact.
400ms for session setup may seem not so much and under normal conditions is no problem. After a server restart or network outage Windows clients tend to reconnect rather agressive, resulting in much more then 10 connections per second (like in my test above) and having the samba server completely unresponsive for minutes.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.