Subject: | GSSAPI context being destroyed when ticket cache renewed |
Hello,
In helping a user on the openldap-software list track down why
replication (SASL/GSSAPI based) wasn't working correctly on his servers,
we found that the problem was the way in which MIT Kerberos handles
ticket refreshes. Basically, the way the replication work is we have a
master and a replica. The replica makes a persistent bind to the master
with SASL/GSSAPI. On my servers using Heimdal kerberos, this works
fine, and can last for days. However, on his servers using MIT
Kerberos, once the ticket cache was refreshed (we both use k5start by
Russ Allbery to do this), the GSSAPI context was destroyed, meaning that
traffic could no longer be encrypted between the master and the replica.
Replication would stop, and the master and replicas would both get into
odd states after that.
Another user reported having the same problems with MIT kerberos:
--On Thursday, August 31, 2006 9:41 PM +0100 simon@sxw.org.uk wrote:
It would be great to have this fixed!
--Quanah
In helping a user on the openldap-software list track down why
replication (SASL/GSSAPI based) wasn't working correctly on his servers,
we found that the problem was the way in which MIT Kerberos handles
ticket refreshes. Basically, the way the replication work is we have a
master and a replica. The replica makes a persistent bind to the master
with SASL/GSSAPI. On my servers using Heimdal kerberos, this works
fine, and can last for days. However, on his servers using MIT
Kerberos, once the ticket cache was refreshed (we both use k5start by
Russ Allbery to do this), the GSSAPI context was destroyed, meaning that
traffic could no longer be encrypted between the master and the replica.
Replication would stop, and the master and replicas would both get into
odd states after that.
Another user reported having the same problems with MIT kerberos:
--On Thursday, August 31, 2006 9:41 PM +0100 simon@sxw.org.uk wrote:
Show quoted text
>
> If you're using MIT Kerberos, I strongly suspect that the problem you're
> seeing is due to the behaviour of its GSSAPI library. With MIT's
> implementation a gssapi context is only valid for the lifetime of the
> initiator's credential. So, when your clients credentials expire, the
> security context also expires, and the client and server both start
> failing to decrypt each others packets. We first noticed this problem
> because slapd would crash when the decryption failure occurred - this
> problem no longer exists - but MIT Kerberos's behaviour has not changed.
>
> Just renewing your credentials won't help, as the new credentials will
> only be used when establishing a new security context, which only happens
> when a new connection is opened.
> If you're using MIT Kerberos, I strongly suspect that the problem you're
> seeing is due to the behaviour of its GSSAPI library. With MIT's
> implementation a gssapi context is only valid for the lifetime of the
> initiator's credential. So, when your clients credentials expire, the
> security context also expires, and the client and server both start
> failing to decrypt each others packets. We first noticed this problem
> because slapd would crash when the decryption failure occurred - this
> problem no longer exists - but MIT Kerberos's behaviour has not changed.
>
> Just renewing your credentials won't help, as the new credentials will
> only be used when establishing a new security context, which only happens
> when a new connection is opened.
It would be great to have this fixed!
--Quanah