[krbdev.mit.edu #6832] Bug in MIT Kerberos for Windows Version 3.2.2

[David R Boldt via RT]

Update on the USGS Kerberos for Windows issue.

We've been able to replicate the KfW crash outside of Active Directory, 
using a huge set of SRV DNS records on a local DNS server.

The Department of Interior Active Directory team continues to vary the 
amount of domain controllers in the GS domain. We must be very close to 
the DNS buffer limit in KfW, because occasionally this crash fails to 
occur.

We've traced the crash to a static buffer size in wshelper, a 
MIT-developed Winsock wrapper. This means that the problem is local to 
Windows.

We have been able to build a 32-bit wshelper DLL that contains a larger 
buffer. In testing, this fixes the problem in the production AD and test 
environments.

There are a few problems with building MIT's Kerberos for Windows. The KfW 
project's source assumes that we are using a specific version of MS Visual 
Studio (2003). This version is old, and any attempts to build KfW with 
newer versions are not likely to be successful. We were able to tweak the 
wshelper code in order to build the specific DLL in a newer MS Visual 
Studio. Jeff Altman has commented that newer VS versions will probably not 
be able to build the entire KfW package (
http://mailman.mit.edu/pipermail/kfwdev/2007-July/000073.html).


                                         -- David Boldt
                                             <dboldt at usgs.gov>