is krb5_cc_initialize() thread safe

Olga Kornievskaia aglo at umich.edu
Fri Feb 21 09:47:26 EST 2025


On Thu, Feb 20, 2025 at 10:25 PM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
> >> Greg does bring up the larger meta-issue that you're apparantly trying
> >> to have two threads call krb5_cc_initiualize() on the same FILE
> >> credential cache; what, exactly, are you trying to accomplish there?
> >
> >NFS gssd service is multithreaded (has been for a while now). And at
> >some point we've allowed multiple upcalls for the same UID (leading to
> >the upcalls looking/working on the same credential cache) and thus the
> >problem that krb5_cc_initialize() is called by 2 threads. It was
> >assumed that kerberos libraries are "thread-safe".
>
> I think you're missing Greg's point; krb5_cc_initialize() wipes out the
> credential cache completely and makes it non-usable.  That's what he
> meant by it being thread safe but not concurrency safe.  If one upcall
> stored credentials another thread would wipe those out with a call to
> krb5_cc_initialize().  I'm unclear what exactly you expect to happen
> in this situation.

Imagine if there are 2 parallel kinit's. It doesn't matter that the
2nd one will wipe out the creds, there will be a set of creds in the
end.

I expect to krb5_cc_intiialize() to not fail. Yes I can see that some
conditions (such as memory allocation failure) can lead to one thread
successfully completing while the other will fail. But what memory
issues are not in play here.

>
> --Ken



More information about the krbdev mailing list