init_sec_context() stores a sub, sub domain tgt without deleting existing one causing Memory Leak - (KRB5_GC_NO_STORE).
Rahul G
rahulrasm at gmail.com
Fri May 12 19:49:22 EDT 2017
It does look like the solution I need.
I really appreciate the quick response.
I will pull this commit and see if it solves my issue.
Thank you so much Greg.
Thank You,
Rahul.
On Fri, May 12, 2017 at 7:40 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 05/12/2017 03:49 PM, Rahul G wrote:
> > I observed that when a user from a sub sub domain (three levels down from
> > top) makes a request, *init_sec_context *function* (which eventually
> calls
> > get_creds.c)*
> > stores the TGT of the sub sub domain in the ccache.
> > Problem is, when a another user from the same domain makes a request, it
> > stores the same TGT again and
> > the cache now has 2 copies of the same TGT, and this continues for every
> > user thereby increasing the memory used by the process.
>
> This sounds like a variant of
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=8579 where the KDC
> response is an alternate TGT. We recently committed a change to master
> to fix that problem:
>
> https://github.com/krb5/krb5/commit/1dc619624421002b1e64d3b8c7e270
> 508381b3e6
>
> Unfortunately we don't put out KfW releases very often, but if you're
> prepared to rebuild KfW from source code you could apply that patch.
>
More information about the kfwdev
mailing list