GSS-API errors

Greg Hudson ghudson at MIT.EDU
Thu Oct 29 13:00:07 EDT 2009


On Thu, 2009-10-29 at 12:37 -0400, Mike Friedman wrote:
> Any ideas about how, at least, to track down the cause of these particular 
> errors?  Is the mere attempt to make a couple of dozen or more kadmin 
> connections per second likely to cause this problem?

You might be running into a replay cache issue.  In krb5 1.6, the replay
cache keyed mostly off of the timestamp of the authenticator, which
could be the same if you make two connections in quick succession.  In
1.7 we also key off a checksum of the encrypted authenticator, which is
very unlikely to collide because of the confounder.

As a workaround, it's possible to perform multiple operations within a
single connection.  I don't know if Authen::Krb5::Admin allows that,
though.





More information about the Kerberos mailing list