GSS-API errors

Mike Friedman mikef at berkeley.edu
Thu Oct 29 13:14:15 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 29 Oct 2009 at 13:00 (-0400), Greg Hudson wrote:

> On Thu, 2009-10-29 at 12:37 -0400, Mike Friedman wrote:
>> Any ideas about how, at least, to track down the cause of these 
>> particular errors?  Is the mere attempt to make a couple of dozen or 
>> more kadmin connections per second likely to cause this problem?
>
> You might be running into a replay cache issue.  In krb5 1.6, the replay 
> cache keyed mostly off of the timestamp of the authenticator, which 
> could be the same if you make two connections in quick succession.  In 
> 1.7 we also key off a checksum of the encrypted authenticator, which is 
> very unlikely to collide because of the confounder.

> As a workaround, it's possible to perform multiple operations within a 
> single connection.  I don't know if Authen::Krb5::Admin allows that, 
> though.

Greg,

Unfortunately, my library of Kerberos routines consists only of standalone 
functions, each of which makes its own kadmind connection.  I realize I 
should also have provided a method that just returned a kadm5 handle so 
that calling routines could do multiple transactions on the same 
connection.  But then it would be the responsibility of each such calling 
application to track the persistence of the connection.

For example, updates will fail while kprop is unloading the db. 
Currently, an app can just retry the standalone function, which will 
establish a new connection.  Anyway, wise or not, I didn't provide a 
connection-only perl method, so apps that call my functions (e.g., to add 
a principal) wind up connecting to kadmind each time.

Are you saying that with 1.7 and later releases, this problem should go 
away (assuming its cause is as you speculate)?

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkrpzWcACgkQFgKSfLOvZ1Sx/ACeJDiBR6jNAH8bptDxG6svZjeA
BfMAn3qFmD2VlrLFo+ZuMiHgmunmofPf
=dlxd
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list