GSS-API error deleting large number of principals

Mike Friedman mikef at
Sun Nov 4 23:27:36 EST 2012


I have a perl program that uses *Auth::Krb5::Admin* to talk to the KDC
for admin functions.  In particular, to add or delete principals.  It
almost always works perfectly.  However, now I find that if I try to
delete a large number of principals, even with a delay of 1 second
between each delete, I  occasionally get a return code of 46 from the
KDC, which corresponds to error message "GSS-API (or Kerberos) error". 
In the KDC logs, I see the following:

    check_rpcsec_auth: failed inquire_context, stat=786432
     Authentication attempt failed:, GSS-API error
    strings are:
         The referenced context has expired
         Unknown error
        GSS-API error strings complete.
    authentication attempt failed:, RPC authentication
    flavor 6

This has been happening only when I've been deleting over about 3500
principals.  Most of the time, and even with as many as 3300 principals,
the problem hasn't occurred.

I should say the the code establishes a new kadmin connection and
obtains a new Kerberos context, for each transaction, using the
connection handle as the basis for object references that correspond to
the admin function, in this case delete_principal.  After each
transaction succeeds or fails, the Kerberos context is dropped.

Does the above ring any bells?  What conditions might cause this problem?



Mike Friedman
mikef at

More information about the Kerberos mailing list