MS KRB5 vs KRB 5 GSS API/SPNEGO question

Greg Hudson ghudson at mit.edu
Fri Sep 26 15:57:27 EDT 2014


On 09/26/2014 03:28 PM, Prakash Narayanaswamy wrote:
> We're using MIT Kerberos v5-1.10.3 . Occasionally we're seeing
> authentication failures. The gss_display_status call on the minor status
> code returned by the gss_accept_sec_context (major status ==
> GSS_S_FAILURE) gives the following error message: /Cannot create replay
> cache file /var/tmp/host_1000: File exists. /

Our replay cache implementation is not correct in the face of multiple
processes or threads concurrently accessing the same replay cache.  Most
of the issues do not interfere with server operation (that is, they
would only result in replays possibly not being noticed), but there is
one specific race which can result in this spurious failure.  We have
recently pushed a workaround for this which will go into 1.13:


https://github.com/krb5/krb5/commit/99e08376c14240e2141c6fa9289fafab8245c754

We have longer-term plans to improve the replay cache implementation,
hopefully for 1.14:

  http://k5wiki.kerberos.org/wiki/Projects/Replay_cache_improvements


More information about the Kerberos mailing list