A note about the lock inconsistency bug

Nico Williams nico at cryptonector.com
Mon Oct 15 19:54:34 EDT 2012

A few weeks ago I contributed fixes for a couple of locking-related
bugs in the MIT Kerberos KDC.  There are three cases where these bugs
can result in neither kadmind nor kadmin.local, nor any kadm5srv API
consumer being able to write to the KDB, two of which affect the
master KDC:

1) Any races between krb5kdc and kdb5util load.  This affects slave
KDCs since 1.5 (loads happen as part of kprop).

2) Any races between krb5kdc and kadmind or kadmin.local
addpol/modpol/delpol commands.  This affects master KDCs since 1.5.

3) Any races between multi-process krb5kdc and account lockout
checking.  This affects master and slave KDCs since, IIRC, 1.10.

None of these affect the KDC with the LDAP backend.

(3) is particularly painful.  To workaround this either disable
account lockout policies or disable multi-process KDCs.  To workaround
(2) just restart krb5kdc around such operations.  To workaround (1)
just restart the KDC on slaves as needed (or after each full prop).


More information about the Kerberos mailing list