old Solaris Kerberos bug question - kadm applications can not refresh their credentials once they've expired

Neng Xue neng.xue at oracle.com
Thu Mar 13 16:38:52 EDT 2014


My name is Neng. I am a college hire working for Oracle Solaris Security 
Team. Currently I am re-investigating and trying to understand old 
Solaris Kerberos bug fixs to see whether they are still applicable to 
latest MIT kerberos code(for our MIT drop-in project). One of them is 
the bug fix for "*kadm applications can not refresh their credentials 
once they've expired*"

The bug description is as following:
The kadmin client applications, such as kadmin and kpropd do not have a 
proper mechanism for freshing credentials.  Where refresh in the since 
of either recreating the credentials or renewing an existing one. 
kadmin clients use a different credentials store (/tmp/ovsec_adm.XXXXXX) 
rather than the default credential store as with root and host pricipals 
(/tmp/krb5cc_0). The routines that already renew credentials are 
currently restricted to host or root princs via get_default_cred() and 
the like.

Currently this causes failure for kpropd.  Since clnt_vc() calls are not 
refreshing properly nor is it returning error.  Therefore kpropd thinks 
that it's getting an update with a sno value of 0.  During the next poll 
kpropd sends a sno of 0 and the master has a value > 0.  Therefore the 
master says that kpropd needs a full-resync. The slave requests a 
full-resync and gets one.  This will have a performance hit on the slave 
every 8 hours.

The bug fix modified three files: *clnt_door.c*, *clnt_dg.c* and 
*clnt_vc.c* in rpc library which I did not see in latest MIT kerberos 
repo. But there are similar code pieces appeared in *clnt_udp.c*. So my 
question is that are the lastest MIT kerberos code still suffered from 
this bug? Or how can I judge whether the bug fix is still applicable? 
Thanks a lot in advance!


Kerberos mailing list           Kerberos at mit.edu

More information about the krbdev mailing list