old Solaris Kerberos bug question - kadm applications can not refresh their credentials once they've expired

Greg Hudson ghudson at MIT.EDU
Fri Mar 14 11:14:44 EDT 2014

On 03/13/2014 04:38 PM, Neng Xue wrote:
> Currently this causes failure for kpropd.  Since clnt_vc() calls are not 
> refreshing properly nor is it returning error.  Therefore kpropd thinks 
> that it's getting an update with a sno value of 0.
> So my 
> question is that are the lastest MIT kerberos code still suffered from 
> this bug? Or how can I judge whether the bug fix is still applicable? 

I can't say for sure without setting up a test, but I couldn't find
evidence that this bug affects current MIT krb5.

kpropd calls kadm5_init_with_skey, which gets fresh tickets with the
host keytab and initiates a TCP connection to kadmind.  Then kpropd uses
that connection to make an indefinite number of RPC calls using
clnttcp_call from clnt_tcp.c.  If any of the RPC calls fails (i.e. gets
an error return from clnttcp_call), another kadm5_init_with_skey call is
made to get new tickets and establish a new connection.

With a current kadmind, an RPC call would typically only fail if the TCP
is broken due to a network interruption.  With an old kadmind (before
1.8.3) it could also fail if the ticket used to establish the context
has expired.

As you described the old Solaris bug, kadmind rejects the RPC
authentication when the ticket expires, and instead of returning an
error, the RPC call function returns an all-zeros response structure.
It doesn't look like our clnttcp_call function will do this if it
receives an authentication failure response.

More information about the krbdev mailing list