KDC HA Failure with krb5-1.9.1 and pam-krb5 4.4

Tom Parker tparker at cbnco.com
Sat Nov 19 23:09:34 EST 2011


Hi Nalin

Thanks for your answer.  One thing I don't understand.  Is this fixed in 
1.9.2 or will it be in 1.10.x?

For now I will hold off migrating my clients from 1.8.3.

Tom Parker

On 11/18/2011 06:32 PM, Nalin Dahyabhai wrote:
> On Fri, Nov 18, 2011 at 05:41:44PM -0500, Tom Parker wrote:
>> Thanks for your quick reply.  I have attached my results below.  When
>> one of my KDCs is down the client kinit fails with: kinit:
>> sendto_kdc.c:617: cm_get_ssflags: Assertion `i<  selstate->nfds' failed.
> That looks like a bug that we ran into when the send-to-kdc code was
> reworked to use poll() (RT#6905) and we pulled it from trunk to add to
> our 1.9 and 1.9.1 binary packages.  The fix was RT#6951.  We ran into
> another case, too, but by then that part of the library had been
> reworked again so that trunk didn't need the fix, so I didn't open a
> ticket for it.  I'll append the patch for it below.
>
> HTH,
>
> Nalin
>
> If we exit the transmit loop cleanly, don't overestimate the size of the
> connections array.  This bug appears to have been removed upstream when
> this function was rewritten in trunk, and the select()-based implementation
> is still what's in 1.9, so this patch has nowhere to go.
> --- krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c	2011-09-28 14:54:20.560811664 -0400
> +++ krb5-1.9.1/src/lib/krb5/os/sendto_kdc.c	2011-09-28 14:54:11.396812292 -0400
> @@ -1317,7 +1319,10 @@ krb5int_sendto (krb5_context context, co
>              call with the last one from the above loop, if the loop
>              actually calls select.  */
>           sel_state->end_time.tv_sec += delay_this_pass;
> -        e = service_fds(context, sel_state, conns, host+1,&winning_conn,
> +        i = host+1;
> +        if (i>  n_conns)
> +            i = n_conns;
> +        e = service_fds(context, sel_state, conns, i,&winning_conn,
>                           sel_state+1, msg_handler, msg_handler_data);
>           if (e)
>               break;



More information about the Kerberos mailing list