Skip Menu |
 

Download (untitled) / with headers
text/plain 4.1KiB
From paul.cedergren@smss.external.lmco.com Tue Feb 23 14:16:12 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA10290 for <bugs@RT-11.MIT.EDU>; Tue, 23 Feb 1999 14:16:07 -0500
Received: from [141.205.45.85] by MIT.EDU with SMTP
id AA19837; Tue, 23 Feb 99 14:15:53 EST
Received: from nt10006.idedev (unverified [10.1.1.1]) by emailFilter.gsde.gov
(Integralis SMTPRS 2.0.15) with ESMTP id <B0000014115@emailFilter.gsde.gov>;
Tue, 23 Feb 1999 13:22:09 -0600
Received: by nt10006.idedev with Internet Mail Service (5.5.1960.3)
id <FL71B9GG>; Tue, 23 Feb 1999 13:15:38 -0600
Message-Id: <E1E9100F4526D2119DB400A0C976D895050AEF@nt10006.idedev>
Date: Tue, 23 Feb 1999 13:15:35 -0600
From: "Cedergren, Paul H." <paul.cedergren@smss.external.lmco.com>
To: "'krb5-bugs@mit.edu'" <krb5-bugs@MIT.EDU>
Cc: "'lindolfo.martinez@lmco.com'" <lindolfo.martinez@lmco.com>
Subject: Kdc replay cache problem

Show quoted text
>Number: 695
>Category: krb5-kdc
>Synopsis: Kdc replay cache problem
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Feb 23 14:17:00 EST 1999
>Last-Modified: Sat Jun 23 01:29:43 EDT 2001
>Originator: "Cedergren, Paul H." <paul.cedergren@smss.external.lmco.com>
>Organization:
>Release:
>Environment:
>Description:
Sorry, send-pr cannot be used in my environment.

The version of kerberos we are using is apparently a 1994 version
purchased from LatticeSoft, a vendor who originally had obtained the
release from Digital Equipment Company. We have been having a problem
with the kdc incurring a KRB5_RC_IO_UNKNOWN error when writing to the
replay cache. When the KRB5_RC_IO_UNKNOWN error occurs, the kdc never
recovers, and all subsequent requests for tickets from <any client>
<anywhere> will be denied. This is a real problem since the backup
kdc(s) never come into play. The primary kdc is not down --it is just
refusing to give tickets because it has an unknown replay cache error.
Unfortunately the value of errno is not written to the syserrlog so it
is not possible to know just what is happening.

I have inspected a later version of Kerberos obtained by Internet.
Evidently, subsequent releases of Kerberos have addressed this problem
by detecting the generic replay cache io error, deleting the cache,
reestablishing it, and then attempting to write to it a second time.
The comments associated with this solution say it is to handle
situations where the replay cache has been deleted by some other process
(see kdc_util.c). The comments also indicate the programmer does not
particularly like this solution. We are quite sure that in our
environment no other process is touching the replay cache. Yet the
replay cache io error still occurs, and when it does occur, we are dead
in the water until the kdc is killed.

For various technical reasons, we are obliged to use the LatticeSoft kdc
and cannot presently use a later release. I have been asked to
determine if this is a bug or some problem in our operating environment.
Can you give us any additional information you might have concerning the
unknown replay cache error? In particular, is there any evidence that
the error is a bug within the kdc's code and not a problem of the replay
cache being deleted, overwritten, or being rendered inaccessible by some
external process?

Thanks,

Paul Cedergren
Lockheed Martin Corporation
3700 Bay Area Blvd.
Houston, TX 77058
paul.cedergren@lmco.com
*******************************************************************************
WARNING WARNING WARNING
THIS GOVERNMENT AUTOMATED INFORMATION AND DATA SYSTEM IS MONITORED TO
ENSURE SECURITY. ACCESS AND/OR USE OF THE SYSTEM FOR AUTHORIZED USERS
ONLY AND CONSTITUTES CONSENT TO MONITORING. UNAUTHORIZED USE IS A
VIOLATION OF FEDERAL AND TEXAS LAW
*******************************************************************************
Show quoted text
>How-To-Repeat:
>Fix:
>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Sat Jun 23 01:28:58 2001
Responsible-Changed-Why:

Show quoted text
>Unformatted:
We don't have the resources to do this kind of support, and recent
releases should have fixed some of the KDC rcache problems anyway.