From paul.cedergren@smss.external.lmco.com Tue Feb 23 14:16:12 1999 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA10290 for ; Tue, 23 Feb 1999 14:16:07 -0500 Received: from [141.205.45.85] by MIT.EDU with SMTP id AA19837; Tue, 23 Feb 99 14:15:53 EST Received: from nt10006.idedev (unverified [10.1.1.1]) by emailFilter.gsde.gov (Integralis SMTPRS 2.0.15) with ESMTP id ; Tue, 23 Feb 1999 13:22:09 -0600 Received: by nt10006.idedev with Internet Mail Service (5.5.1960.3) id ; Tue, 23 Feb 1999 13:15:38 -0600 Message-Id: Date: Tue, 23 Feb 1999 13:15:35 -0600 From: "Cedergren, Paul H." To: "'krb5-bugs@mit.edu'" Cc: "'lindolfo.martinez@lmco.com'" Subject: Kdc replay cache problem >Number: 695 >Category: krb5-kdc >Synopsis: Kdc replay cache problem >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue Feb 23 14:17:00 EST 1999 >Last-Modified: Sat Jun 23 01:29:43 EDT 2001 >Originator: "Cedergren, Paul H." >Organization: >Release: >Environment: >Description: Sorry, send-pr cannot be used in my environment. The version of kerberos we are using is apparently a 1994 version purchased from LatticeSoft, a vendor who originally had obtained the release from Digital Equipment Company. We have been having a problem with the kdc incurring a KRB5_RC_IO_UNKNOWN error when writing to the replay cache. When the KRB5_RC_IO_UNKNOWN error occurs, the kdc never recovers, and all subsequent requests for tickets from will be denied. This is a real problem since the backup kdc(s) never come into play. The primary kdc is not down --it is just refusing to give tickets because it has an unknown replay cache error. Unfortunately the value of errno is not written to the syserrlog so it is not possible to know just what is happening. I have inspected a later version of Kerberos obtained by Internet. Evidently, subsequent releases of Kerberos have addressed this problem by detecting the generic replay cache io error, deleting the cache, reestablishing it, and then attempting to write to it a second time. The comments associated with this solution say it is to handle situations where the replay cache has been deleted by some other process (see kdc_util.c). The comments also indicate the programmer does not particularly like this solution. We are quite sure that in our environment no other process is touching the replay cache. Yet the replay cache io error still occurs, and when it does occur, we are dead in the water until the kdc is killed. For various technical reasons, we are obliged to use the LatticeSoft kdc and cannot presently use a later release. I have been asked to determine if this is a bug or some problem in our operating environment. Can you give us any additional information you might have concerning the unknown replay cache error? In particular, is there any evidence that the error is a bug within the kdc's code and not a problem of the replay cache being deleted, overwritten, or being rendered inaccessible by some external process? Thanks, Paul Cedergren Lockheed Martin Corporation 3700 Bay Area Blvd. Houston, TX 77058 paul.cedergren@lmco.com ******************************************************************************* WARNING WARNING WARNING THIS GOVERNMENT AUTOMATED INFORMATION AND DATA SYSTEM IS MONITORED TO ENSURE SECURITY. ACCESS AND/OR USE OF THE SYSTEM FOR AUTHORIZED USERS ONLY AND CONSTITUTES CONSENT TO MONITORING. UNAUTHORIZED USE IS A VIOLATION OF FEDERAL AND TEXAS LAW ******************************************************************************* >How-To-Repeat: >Fix: >Audit-Trail: Responsible-Changed-From-To: gnats-admin->krb5-unassigned Responsible-Changed-By: raeburn Responsible-Changed-When: Sat Jun 23 01:28:58 2001 Responsible-Changed-Why: >Unformatted: