any hidden dependency for krb5_context?

[Bin Lu]

Hi Greg,

I am calling krb5_get_init_creds_password() in my app. In failure case it times out in about 40 seconds. The krb5_context objects (address) are the same in 2 threads. Is there any value in the object that could cause the difference in behavior? In both cases, they seem to go through the same route krb5_sendto_kdc()->krb5_locate_kdc() ->krb5int_locate_server() ->prof_locate_server() ->krb5_locate_srv_conf_1() ->profile_get_values().

Seems it's using "realms", <default realm> as host, "kdc" as the input to profile_get_values(). I am not sure if it is getting the kdc from the configuration file in the initial thread, while in other threads it's trying DNS lookup for the kdc host with the default realm ?

Any input will be greatly appreciated.

-binlu

-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU] 
Sent: Tuesday, June 17, 2014 10:00 AM
To: Bin Lu; krbdev at mit.edu
Subject: Re: any hidden dependency for krb5_context?

On 06/16/2014 06:57 PM, Bin Lu wrote:
> Initialize several krb5_context in one thread and put it in a global (pool) structure, then other threads get krb5_context from the pool and do the real work.

This ought to work, as long as you don't use the same krb5_context in multiple threads at the same time.  I don't have any guesses as to why you would be getting KRB5_REALM_CANT_RESOLVE when using a context in a different thread from the one it was initialized in.

> I thought the realm should have been resolved during krb5_init_context() from env("KRB5_CONFIG").

The profile is read at krb5_init_context time, and is queried when we actually need to send a message to the KDC.  But that should work from any thread.