GSS-API error deleting large number of principals
Mike Friedman
mikef at berkeley.edu
Sun Nov 4 23:27:36 EST 2012
Hi,
I have a perl program that uses *Auth::Krb5::Admin* to talk to the KDC
for admin functions. In particular, to add or delete principals. It
almost always works perfectly. However, now I find that if I try to
delete a large number of principals, even with a delay of 1 second
between each delete, I occasionally get a return code of 46 from the
KDC, which corresponds to error message "GSS-API (or Kerberos) error".
In the KDC logs, I see the following:
check_rpcsec_auth: failed inquire_context, stat=786432
Authentication attempt failed: 169.229.248.136, GSS-API error
strings are:
The referenced context has expired
Unknown error
GSS-API error strings complete.
authentication attempt failed: 169.229.248.136, RPC authentication
flavor 6
This has been happening only when I've been deleting over about 3500
principals. Most of the time, and even with as many as 3300 principals,
the problem hasn't occurred.
I should say the the code establishes a new kadmin connection and
obtains a new Kerberos context, for each transaction, using the
connection handle as the basis for object references that correspond to
the admin function, in this case delete_principal. After each
transaction succeeds or fails, the Kerberos context is dropped.
Does the above ring any bells? What conditions might cause this problem?
Thanks.
Mike
--
Mike Friedman
mikef at berkeley.edu
http://mikefberkeley.com
More information about the Kerberos
mailing list