GSS-API errors
Mike Friedman
Hash: SHA1
I have several perl routines that use the Authen::Krb5::Admin module,
which is linked with MIT K5 1.6.3 libraries. When attempting multiple
admin transactions, each of which involves a new connection to kadmind and
which occur in rapid succession (many per second), my functions now and
then (definitely NOT always) get back a GSS-API error (RC=46).
However no GSS-API errors are being logged by the KDC. This makes me
suspect a client library issue. One consequence is that there's no more
specific error message to work with.
Any ideas about how, at least, to track down the cause of these particular
errors? Is the mere attempt to make a couple of dozen or more kadmin
connections per second likely to cause this problem?
Thanks for any suggestions.
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mi...@berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://mikef.berkeley.edu http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkrpxNgACgkQFgKSfLOvZ1RQqwCfbrQSF76joOUd0fF0+QVyTBHH
NPwAniRBBYrmjFOqh+0Hqpa4yXgOA0Xv
=qL/L
-----END PGP SIGNATURE-----
Greg Hudson
> Any ideas about how, at least, to track down the cause of these particular
> errors? Is the mere attempt to make a couple of dozen or more kadmin
> connections per second likely to cause this problem?
You might be running into a replay cache issue. In krb5 1.6, the replay
cache keyed mostly off of the timestamp of the authenticator, which
could be the same if you make two connections in quick succession. In
1.7 we also key off a checksum of the encrypted authenticator, which is
very unlikely to collide because of the confounder.
As a workaround, it's possible to perform multiple operations within a
single connection. I don't know if Authen::Krb5::Admin allows that,
though.
Mike Friedman
Hash: SHA1
Greg,
Unfortunately, my library of Kerberos routines consists only of standalone
functions, each of which makes its own kadmind connection. I realize I
should also have provided a method that just returned a kadm5 handle so
that calling routines could do multiple transactions on the same
connection. But then it would be the responsibility of each such calling
application to track the persistence of the connection.
For example, updates will fail while kprop is unloading the db.
Currently, an app can just retry the standalone function, which will
establish a new connection. Anyway, wise or not, I didn't provide a
connection-only perl method, so apps that call my functions (e.g., to add
a principal) wind up connecting to kadmind each time.
Are you saying that with 1.7 and later releases, this problem should go
away (assuming its cause is as you speculate)?
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mi...@berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://mikef.berkeley.edu http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkrpzWcACgkQFgKSfLOvZ1Sx/ACeJDiBR6jNAH8bptDxG6svZjeA
BfMAn3qFmD2VlrLFo+ZuMiHgmunmofPf
=dlxd
-----END PGP SIGNATURE-----
Greg Hudson
> Are you saying that with 1.7 and later releases, this problem should go
> away (assuming its cause is as you speculate)?
It should, yes.