#529068 libkrb53: gssapi browser auth slow and freezy

Package:
libkrb5-3
Source:
krb5
Description:
MIT Kerberos runtime libraries
Submitter:
"A.K."
Date:
2011-12-27 11:57:42 UTC
Severity:
important
#529068#5
Date:
2009-05-17 15:10:27 UTC
From:
To:
I'm using sites with gssapi auth. On some of the sites pages open very slowly and browser GUI freezes then works again for a second then freezes again and so on until the page is fully loaded.

I observe same behaviour with firefox, konqueror and epiphany.

I don't know how to debug the issue so suggestions are welcome but I do think the issue is debian specific to MIT kerberos package because:
1. using heimdal kerberos library all sites open normally without long annoying freezes (used the ff about:config to select it as gsslib)
2. on fedora 10 with the mit kerberos lib I also don't see these long freezes and slowness (tried to make krb5.conf equal on the two machines)

Regards

#529068#10
Date:
2009-05-18 10:35:12 UTC
From:
To:
Can I get you to make sure that your krb5.conf explicitly lists the
KDCs for the realms in question, and that each KDC ends with a trailling period.
I.E.
kdc = kerberos.your.domain.
not
kdc = kerberos.your.domain

Also, do you see slowness the first time you open a location or all the time?

#529068#15
Date:
2009-05-18 10:35:12 UTC
From:
To:
Can I get you to make sure that your krb5.conf explicitly lists the
KDCs for the realms in question, and that each KDC ends with a trailling period.
I.E.
kdc = kerberos.your.domain.
not
kdc = kerberos.your.domain

Also, do you see slowness the first time you open a location or all the time?

#529068#20
Date:
2009-05-19 04:57:51 UTC
From:
To:
It is in the form kdc = <host>:<port> just like the standard entries
in the file. This is the same as on the fedora system which is
actually a virtualbox VM (with vbox nat networking) on the debian
machine so I'm excluding as a cause the network settings.
As well all sites I'm using kerberos auth with are with the same kdc.
Where should I put a dot if that can help?

It is always slow - slower the first time I open a page (I would guess
because some objects are cached).

Thanks

#529068#25
Date:
2009-05-19 15:39:58 UTC
From:
To:
    Aleksandar> It is in the form kdc = <host>:<port> just like the
    Aleksandar> standard entries in the file. This is the same as on
    Aleksandar> the fedora system which is actually a virtualbox VM
    Aleksandar> (with vbox nat networking) on the debian machine so
    >

I'm looking into DNS issues; the VM under vboxnat doesn't entirely
exclude that.

put something like
kdc = <host.>:<port>

in krb5.conf.

Based on some other things, I suspect that's not the issue, but it is
important to rule out.

I don't have a lot of ideas here about what is going on.  I can think
of things that might be slow or blocking on the server side, but not
on the client side.
Do you happen to know approximately how many http connections are required in a given page load?
I'd expect that the only place any Kerberos could slow things down is during the initial sending of an HTTP request.

#529068#30
Date:
2009-05-20 13:09:56 UTC
From:
To:
Actually with both machines I'm using the same DNS server (run on the
debian machine).

Yes, tried and doesn't seem to change anything.

I would guess that authentication is not threaded in browsers but why
can one library take so much longer than the other is very odd.

Looking at the firefox' status bar of the page there are probably near
300 objects (images?) have to be loaded.

btw. I tried using libgssglue configured to use mit kerberos and it is
also slow.

Regards

#529068#35
Date:
2009-05-20 13:43:10 UTC
From:
To:
Can I get you to make sure you have krb5-user installed,

kinit -c KEYRING:blah <principal_name_goes_here>
and start firefox with the KRB5CCNAME environment variable set to KEYRING:blah

(to confirm you're using the keyring cache, probably doing a kdestroy
on your normal tickets would be good)

What I'm trying to do here is to see if the performance is dependent
on what type of credential cache is used.  I'm suspecting that there
is a locking problem in either MIT or Heimdal.  Either MIT holds a
lock too long, doesn't have fine grain locking somewhere, or Heimdal
has a race condition and is not holding a lock that it needs.  The
keyring cache has a different locking path than the file based cache.
So, it may perform differently.  If it is faster, then that tells us
something.  If it is not, then we don't learn much.

I don't have a test environment in which to reproduce this, although I
am talking to upstream about the issue.  I have not actually opened an
upstream bug at this point; I've brought the issue up on the krbcore
list.

#529068#40
Date:
2009-05-24 13:45:11 UTC
From:
To:
Sorry for the delay but was overloaded with other things.

Yes, I have that package.
kinit -c KEYRING:blah <myuser>
export KRB5CCNAME="KEYRING:blah"
klist #now I see "Ticket cache: KEYRING:blah"
firefox & #very slow as before
klist #I see tickets requested for the web sites I'm trying to open

I wonder though if filesystem in use can make any difference given you
are suspecting some cache and locking?

I know it's very hard when you can't reproduce. I will understand if
you give up as after all it is not a critical issue to me (I'm fine
using heimdal).

Thanks for trying to help. If you have any other ideas, I'll be happy
to try. Actually I have one. I didn't try with any other kerberos
service so if you know some other I can try with both implementations,
that could possibly make a reproducer.

Regards

#529068#45
Date:
2009-05-25 13:59:47 UTC
From:
To:
I've forwarded your latest message to upstream.

One advantage of the keyring cache is that it completely isolates the
file system for ticket caching.

#529068#50
Date:
2011-06-27 12:58:18 UTC
From:
To:
Tcpdump shows me there are a lot of request and replyes on port 88.

Firefox logs:

#529068#55
Date:
2011-06-27 14:01:34 UTC
From:
To:
How many requests do port 88 do you see?
Are most of them tgs requests?

I think you may have given a clue to what's going on.