old Solaris Kerberos bug question - kadm applications can not refresh their credentials once they've expired
neng.xue at oracle.com
Thu Mar 13 16:38:52 EDT 2014
My name is Neng. I am a college hire working for Oracle Solaris Security
Team. Currently I am re-investigating and trying to understand old
Solaris Kerberos bug fixs to see whether they are still applicable to
latest MIT kerberos code(for our MIT drop-in project). One of them is
the bug fix for "*kadm applications can not refresh their credentials
once they've expired*"
The bug description is as following:
The kadmin client applications, such as kadmin and kpropd do not have a
proper mechanism for freshing credentials. Where refresh in the since
of either recreating the credentials or renewing an existing one.
kadmin clients use a different credentials store (/tmp/ovsec_adm.XXXXXX)
rather than the default credential store as with root and host pricipals
(/tmp/krb5cc_0). The routines that already renew credentials are
currently restricted to host or root princs via get_default_cred() and
Currently this causes failure for kpropd. Since clnt_vc() calls are not
refreshing properly nor is it returning error. Therefore kpropd thinks
that it's getting an update with a sno value of 0. During the next poll
kpropd sends a sno of 0 and the master has a value > 0. Therefore the
master says that kpropd needs a full-resync. The slave requests a
full-resync and gets one. This will have a performance hit on the slave
every 8 hours.
The bug fix modified three files: *clnt_door.c*, *clnt_dg.c* and
*clnt_vc.c* in rpc library which I did not see in latest MIT kerberos
repo. But there are similar code pieces appeared in *clnt_udp.c*. So my
question is that are the lastest MIT kerberos code still suffered from
this bug? Or how can I judge whether the bug fix is still applicable?
Thanks a lot in advance!
Kerberos mailing list Kerberos at mit.edu
More information about the krbdev