any hidden dependency for krb5_context?

Bin Lu blu at paloaltonetworks.com
Tue Jun 17 15:16:22 EDT 2014 

Hi Greg,

I just noticed that in the profile structure of the krb5_context object, it contains the profile filename instead of the content. And I tested if I do not remove the configuration file, it works too in other threads. 

But this is not what I want as we might have multiple krb5_context objects with different config files. How can I enforce krb5_init_context() to save the content of the profile, not just the file name?

Thanks,
-binlu 

-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Bin Lu
Sent: Tuesday, June 17, 2014 11:53 AM
To: Greg Hudson; krbdev at mit.edu
Subject: RE: any hidden dependency for krb5_context?

Hi Greg,

I am calling krb5_get_init_creds_password() in my app. In failure case it times out in about 40 seconds. The krb5_context objects (address) are the same in 2 threads. Is there any value in the object that could cause the difference in behavior? In both cases, they seem to go through the same route krb5_sendto_kdc()->krb5_locate_kdc() ->krb5int_locate_server() ->prof_locate_server() ->krb5_locate_srv_conf_1() ->profile_get_values().

Seems it's using "realms", <default realm> as host, "kdc" as the input to profile_get_values(). I am not sure if it is getting the kdc from the configuration file in the initial thread, while in other threads it's trying DNS lookup for the kdc host with the default realm ?

Any input will be greatly appreciated.

-binlu

-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU] 
Sent: Tuesday, June 17, 2014 10:00 AM
To: Bin Lu; krbdev at mit.edu
Subject: Re: any hidden dependency for krb5_context?

On 06/16/2014 06:57 PM, Bin Lu wrote:
> Initialize several krb5_context in one thread and put it in a global (pool) structure, then other threads get krb5_context from the pool and do the real work.

This ought to work, as long as you don't use the same krb5_context in multiple threads at the same time.  I don't have any guesses as to why you would be getting KRB5_REALM_CANT_RESOLVE when using a context in a different thread from the one it was initialized in.

> I thought the realm should have been resolved during krb5_init_context() from env("KRB5_CONFIG").

The profile is read at krb5_init_context time, and is queried when we actually need to send a message to the KDC.  But that should work from any thread.

_______________________________________________
krbdev mailing list             krbdev at mit.edu
https://urldefense.proofpoint.com/v1/url?u=https://mailman.mit.edu/mailman/listinfo/krbdev&k=tA6TlBY8qGT5vn7CslHigA%3D%3D%0A&r=6r5%2FjJEegECWt%2FHbTRRPSD83SmIJ0CMxl6rMDYmTvAk%3D%0A&m=V4ASVu4P%2BhQeAXWdIEoBQBXSe00JF6iGEss4t8jkjks%3D%0A&s=7f797e019c646a41badbb0c4a8eb6ec0d3fef1e24128b6f8741917cde108b698

More information about the krbdev mailing list