When using Kerberos authentication, slow performance and high CPU utilisation may be seen when performing Kerberos operations, such as creating a keytab using the net process or authenticating an NFSv4 mount using rpc.svcgssd.

e.g. creating a keytab:

# time net ads keytab create -U username

Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Enter username's password:

real    5m47.223s
user    5m15.135s
sys     0m24.611s

e.g. from top:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 2176 root      20   0  183m 5872 4612 R 99.9  0.1   2:20.60 net

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 3392 root      20   0  533m 498m 1540 R 99.7  6.4   0:08.55 rpc.svcgssd

The following SELinux policy packages cause high CPU utilisation for Kerberos operations, even when using the SELINUX=permissive setting in /etc/sysconfig/selinux:

- selinux-policy-3.7.19-155.el6_3.noarch
- selinux-policy-targeted-3.7.19-155.el6_3.noarch

Either downgrade the packages, or set SELINUX=disabled in /etc/sysconfig/selinux.

To downgrade:

yum downgrade selinux-policy selinux-policy-targeted

After setting SELINUX=disabled/reboot:

# time net ads keytab add nfs -U username

Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Processing principals to add...
Enter username's password:

real    0m3.095s
user    0m0.015s
sys     0m0.016s

This may also significantly improve boot times.