Regarding Issues with Memory Credential Cache
Datar, Ashutosh Anil
ashutosh.datar at hp.com
Fri Oct 17 05:26:52 EDT 2008
Did you get to see if the modification to mod_auth_kerb, as you had suggested, works well and gets rid of the segmentation faults in memory cache section?
Did you try making any changes to memory cache code?
As I said in my last mail, protecting the memory cache list traversal worked very well with mod_auth_kerb and didn't reproduce the SIGSEGV issues further.
Thanks and Regards,
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Datar, Ashutosh Anil
Sent: Friday, August 29, 2008 6:29 PM
To: Ezra Peisach
Cc: krbdev at mit.edu
Subject: RE: Regarding Issues with Memory Credential Cache
Thanks very much for your analysis and feedback on the issue.
I will also try to test with the suggested changes in mod_auth_kerb code and see how it works.
About the other point of changing memory cache code of Kerberos client,
I have already tried protecting the memory cache list traversal which will prevent initialization of cache doing something illegal while someone else is still accessing it. It worked well with mod_auth_kerb under high load and I didn't see any SIGSEGVs after that.
Thanks again for the feedback.
From: Ezra Peisach [mailto:epeisach at MIT.EDU]
Sent: Friday, August 22, 2008 10:20 PM
To: Datar, Ashutosh Anil
Cc: krbdev at mit.edu
Subject: Re: Regarding Issues with Memory Credential Cache
Datar, Ashutosh Anil wrote:
> I was testing Apache Web Server (which uses mod_auth_kerb) with
> Kerberos Client 1.6.2 and found some issue with the Memory Cache handling.
Okay - I have examined the situation a little more. The problem is
readlly with mod_auth_kerb. In version 5.3 (released at the end of
2006) - krb5_cc_resolve is used to create a temporary
memory cache in two places.
The second argument for the cache is "MEMORY:". This indicates that we
want a memory cache with name "". The cache is initialized, used and
destroyed - so I believe it was never intended to last. So - another
thread might be iterating through the same cache and another thread then
nukes the contents of the cache with krb5_cc_initialize.
The fix is pretty easy - in mod_auth_kerb, there are two places
krb5_cc_resolve is used with "MEMORY:" as the second argument. Change
the code to use krb5_cc_new_unique and that should solve your
problem.... (the type should be "MEMORY" without the :)
I would make the change the mod_auth_kerb and if it works - send the fix
to the author.
I will meanwhile devise a way to bullet proof the memory cache code - to
at least ensure that initializing a cache while someone else is walking
it - will not do anything illegal - but probably result in an emptied
cache - which is not what mod_auth_kerb would be expecting...
krbdev mailing list krbdev at mit.edu
More information about the krbdev