malloc hang inside krb5_sendto_kdc

Ken Weaverling weave at navajo.dtcc.edu
Sat Feb 14 10:10:51 EST 2004 

In article <Xns94836F3DC782Dweavespamcopnet at 216.196.97.131>,
Ken Weaverling  <weave at spamcop.net> wrote:
>I'm having some weird kerberos authentication issues since upgrading a 
>Redhat box from 7.3 to RHEL 3. imap authenticates against a windows 2000 
>kerberos server. That worked under 7.3 for well over a year on a fairly 
>heavy loaded box (~300 imap connections open, a few new connects a 
>second).
>
>Since upgrading to RHEL 3, a few times a day an imap process will go 
>into a CPU loop and consume all resources and sometimes other processes, 
>such as our ldap server and apache server will hang until that imap 
>process is killed.
>
>Attaching to the processes always indicates the hang is within malloc() 
>and always being called from krb5_sendto_kdc. The loop is somewhere 
>within malloc. The function never returns. 

Just a followup note to say that upgrading to 1.3.1 seems to have
solved the problems for us.  We have gone an entire week without any
new hangs since upgrading.  

For those with Redhat RHEL 3 who might come upon this post, to upgrade
to kerberos 1.3 using Redhat RPMS you need to do the following. Note
well that doing this will most likely make your changes unsupported by
Redhat unfortunately. (I do hope that Redhat backports or upgrades
RHEL 3 to fix this bug.)

1) Download the e2fsprogs and krb5 source RPMS from Fedora Core 1.
Download the source RPM for pam_krb5 for RHEL 3 (not Fedora)

2) build and install the e2fsprogs rpm obtained above

3) Make a symlink in /lib so libcom_err.so.3 points to libcom_err.so.2.1
(else you'll get dependency issues on next step

4) build and install the krb5 rpm obtained above

5) build and install the pam_krb5 rpm from above (rpm -e old one first)

Note, a kind soul has provided pre-compiled binaries and source rpms
for above at http://www.millenux.com/~jschmidt/samba/linux/rhas3/ --
Note they are not mine and I can not vouch for them. I wrote to him
and asked how he made them, then downloaded the source RPMS and
compared them against Fedora and noted the only change he made was to
the SPEC file of the e2fsprogs to make the above symlink.

Disclaimer: Please do due diligence if you do the above. All I can
vouch for is that the above has worked for us for the past week on a
heavily loaded box. Anytime one mucks with a production box is cause
for great concern and caution, and calls for a complete lack of trust
in strangers on the net! :)

As an added bonus, after upgrading to Kerberos 1.3.1 we will now be
able to upgrade our Windows domain controllers to 2003 server. 

I hope someone finds this information beneficial and I thank all those
who posted in this thread. Your help was tremendous. It's an eye
opener to me that free community support has proved to be more
valuable than paid professional support. :-( I hope above post helps
give a little back to that same community.

If for some reason the above causes us problems down the line, I'll
post a followup note here warning of it.
-- 
Ken Weaverling (ken a.t weaverling.org) WHOIS: KJW  http://www.weaverling.org/
                     - - - - - - - - - - - - - - - - - -
Note: From address in posting is legit and may be replied to, but my reply may
be delayed since that address gets a lot of spam and I have to sort thru it :-(

More information about the Kerberos mailing list