Update on the USGS Kerberos for Windows
issue.
We've been able to replicate the KfW
crash outside of Active Directory, using a huge set of SRV DNS records
on a local DNS server.
The Department of Interior Active Directory
team continues to vary the amount of domain controllers in the GS domain.
We must be very close to the DNS buffer limit in KfW, because occasionally
this crash fails to occur.
We've traced the crash to a static buffer
size in wshelper, a MIT-developed Winsock wrapper. This means that the
problem is local to Windows.
We have been able to build a 32-bit
wshelper DLL that contains a larger buffer. In testing, this fixes the
problem in the production AD and test environments.
There are a few problems with building
MIT's Kerberos for Windows. The KfW project's source assumes that we are
using a specific version of MS Visual Studio (2003). This version is old,
and any attempts to build KfW with newer versions are not likely to be
successful. We were able to tweak the wshelper code in order to build the
specific DLL in a newer MS Visual Studio. Jeff Altman has commented that
newer VS versions will probably not be able to build the entire KfW package
(http://mailman.mit.edu/pipermail/kfwdev/2007-July/000073.html).
--
David Boldt
<dboldt@usgs.gov>