[kerberos-discuss] LDAP & Kerberos interaction & SIGPIPE
Peter Shoults
Peter.Shoults at Sun.COM
Fri Sep 25 13:13:17 EDT 2009
On 09/25/09 12:50, Tom Yu wrote:
> Peter Shoults <Peter.Shoults at Sun.COM> writes:
>
>
>> I am sending this out again as the customer has tested a fix I provided
>> and determined that it does resolve their issue. I would like to move
>> forward with a fix, and the one I am using now is the one mentioned
>> below with the addition of signal(). If I can get some comments, I
>> would appreciate it. Otherwise - I guess I will just proceed to put
>> this into Solaris code.
>>
>> Pete
>>
>
> Is there a reason to not use sigaction() here if possible? That
> should make things more portable than calling signal().
>
>
I used signal() because that is what is being used in this file as it
exists now, so I did it to maintain a standard look/feel.
>> On 09/16/09 10:48, Peter Shoults wrote:
>>
>>> Hi,
>>>
>>> Customer has brought forward an issue they were having with Kerberos and
>>> LDAP, where LDAP is being used to store the database information for
>>> Kerberos. The issue is that if the LDAP server is restarted for any
>>> reason, then Kerberos does not automatically resync back with the LDAP
>>> server when the LDAP server is back up and running. Specifically, one
>>> can run and login into kadmin, but any commands that are run will fail
>>> with the error:
>>>
>>> "Communication failure with server while retrieving list."
>>>
>>> It turns out if the user exits from kadmin and logs back in a second
>>> time, then the command do work fine.
>>>
>>> I have determined that the cause of this problem is that when the LDAP
>>> server is restarted, all the connections we have on port 636 to the LDAP
>>> server go into a CLOSE_WAIT/FIN_WAIT_2 state. When we log into kadmin,
>>> we attempt to contact the LDAP server on these connections, and we
>>> received SIGPIPE in response to our writes. Here is a snippet from truss:
>>>
>>> 3200/1: 57.2401 write(14, 0x0010B810, 23)
>>> Err#32 EPIPE
>>> 3200/1: 150301\012941A 60F Y P87A7BE9318B6
>>> c8C |0F v
>>> 3200/1: 57.2404 Received signal #13, SIGPIPE [caught]
>>>
>>> This is fine - the sig_pipe handler is invoked and we do print out the
>>> syslog message. However, we never reset the signal disposition for
>>> SIGPIPE. kadmind process immediately proceeds to try the next
>>> connection to the LDAP server, and again gets SIGPIPE. This time
>>> though, the default handler is invoked, which terminates kadmind. At
>>> this point, SMF realizes kadmind has died and restarts it, which
>>> re-establishes all our connections to the LDAP server and that explains
>>> why a subsequent login to kadmin will work.
>>>
>>> I have two questions about this. The first why do we have a handler for
>>> SIGPIPE in the kadmin code, unlike the krb5kdc code, which sets SIGPIPE
>>> disposition to SIG_IGNORE. This handler in the kadmin code has not
>>> changed in a long long time. I tested setting SIGPIPE to SIG_IGN and
>>> this does allow a user to enter commands into kadmin after LDAP server
>>> restarts and run commands without issue.
>>>
>>> Assuming we have the SIGPIPE handler specifically to output the syslog
>>> message, then I propose that we have in the handler a resetting of the
>>> signal disposition to sig_pipe. I have also tested this fix and
>>> verified that this also resolves the problem and allows the user to
>>> enter kadmin commands after LDAP server restarts. Here is my change:
>>>
>>> file modified is ovsec_kadmd.c
>>>
>>> void
>>> sig_pipe(int unused)
>>> {
>>> + signal(SIGPIPE, sig_pipe);
>>> krb5_klog_syslog(LOG_NOTICE, gettext("Warning: Received a SIGPIPE; "
>>> "probably a client aborted. Continuing."));
>>> }
>>>
>>>
>>> Pete
>>>
>>>
>>>
>> _______________________________________________
>> kerberos-discuss mailing list
>> kerberos-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
>>
More information about the krbdev
mailing list