Mac OS X: Calling krb5_init_context and krb5_cc_resolve from a Directory Service Plugin

Alexandra Ellwood lxs at MIT.EDU
Mon Jan 20 00:29:01 EST 2003

>We are developing a Directory Service plug-in that uses kerberos.  We are
>having major difficulty when calling krb5_init_context and krb5_cc_resolve,
>because these calls appear to be trying to contact the
>The CCacheServer app must be doing something that calls back into Directory
>Services, and that deadlocks the whole Mac.
>Is there some way we can use credential cache names that don't work with the
>Since the credentials cache code on Mac OS X is not publicly available, who
>should I direct my questions to?

The API which is deadlocking your program is actually an Apple one: 
SessionGetInfo() from Security.framework.  The Kerberos.framework 
calls this function to determine which CCacheServer to talk to.  You 
never even try to talk to the CCacheServer itself.  SessionGetInfo() 
seems to be dying when your plugin tries to contact the 
SecurityServer, a system daemon, via Mach-IPC.

You should contact Apple to find out why this function doesn't work 
from a DirectoryServices plugin.  Kerberos needs this function to 
determine which user session your user login is part of.

>Here is some stuff from a stack trace in DirectoryServer when we lock up:
>Program received signal SIGINT, Interrupt.
>[Switching to process 532 thread 0x1007]
>0x90073c48 in mach_msg_trap ()
>(gdb) thread 4
>[Switching to thread 4 (process 532 thread 0x2803)]
>#0  0x90073c48 in mach_msg_trap ()
>(gdb) where
>#0  0x90073c48 in mach_msg_trap ()
>#1  0x90005f90 in mach_msg ()
>#2  0x92bc3afc in ucsp_client_setup(unsigned, unsigned, long*,
>unsigned, char const*) ()
>#3  0x92bb4c3c in Security::SecurityServer::ClientSession::activate() ()
>#4  0x92bdf3dc in
>Security::SecurityServer::ClientSession::getSessionInfo(unsigned long&,
>unsigned long&) ()
>#5  0x92bdf310 in SessionGetInfo ()
>#6  0x94341b64 in LoginSessionGetSessionName ()
>#7  0x94341ad0 in LoginSessionGetSessionUID ()
>#8  0x94341d00 in mach_client_lookup_server ()
>#9  0x94341de0 in mach_client_lookup_and_launch_server ()
>#10 0x9435d240 in CCIMachIPCStub::GetPort() const ()
>#11 0x94359e50 in CCICCacheDataMachIPCStub::GetCredentialsVersion() ()
>#12 0x94351b04 in cc_open ()
>#13 0x943879b0 in krb5_stdcc_resolve ()
>#14 0x94386d88 in krb5_cc_resolve ()
>#15 0x0084ca28 in KerbUserInit (user=0xa15c40 "grigsby", domain=0xa159b0
>"FOO.ORG", passwd=0xa159f0 "zzzzzzz") at
>#22 0x00807754 in PlugInShell_ProcessRequest (inData=0xa0d920) at
>#23 0x00809548 in _ProcessRequest (thisp=0x0, inData=0xa05360) at
>#24 0x0000426c in CRequestHandler::HandlePluginCall(sComData**) ()
>#25 0x00003508 in CRequestHandler::HandleRequest(sComData**) ()
>#26 0x0001ef50 in CMessaging::SendInlineMessage(unsigned long) ()
>#27 0x000265d4 in dsDoDirNodeAuth ()
>#28 0x00009890 in CRequestHandler::DoCheckUserNameAndPassword(char
>const*, char const*, tDirPatternMatch, unsigned*, char**) ()
>#29 0x00003f10 in CRequestHandler::HandleServerCall(sComData**) ()
>#30 0x000034e4 in CRequestHandler::HandleRequest(sComData**) ()
>#31 0x00003450 in CHandlerThread::HandleMessage() ()
>#32 0x00003018 in CHandlerThread::ThreadMain() ()
>#33 0x92b65c68 in DSCThread::Run() ()
>#34 0x92b65e28 in DSLThread::_RunWrapper(void*) ()
>#35 0x90020d48 in _pthread_body ()

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list