Skip Menu |

Date: Thu, 27 Sep 2012 11:26:26 -0500
Subject: Policy deletion should not rely in refcounts
From: Nico Williams <>
Besides rt #7384, I've seen other policy refcount bugs in MIT Kerberos before.
It seems to me that it'd be better to not rely on the refcounts in the policy
DB. Instead we should consider any of these approaches to handling policy

- disallow policy deletion
- iterate all principals at policy deletion time and apply any of cascade,
null (change to default policy), or restrict referential integrity rules
- delete without checking and allow dangling references to non-existent
policies (somewhat like an implied referential integrity rule that
nulls policy references)

We may well need to be able to handle principals that refer to non-existent
policies for the simple reason that there may be such principals in some
existing KDBs. This makes the third choice above tempting, but it does
not preclude either of the others.

My proposal is the second of the above, with "restrict" rules.
I've started a project page corresponding to this issue:
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.5KiB

Allow principals to refer to nonexistent policies

Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated

In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
Author: Greg Hudson <>
Commit: 0780e46fc13dbafa177525164997cd204cc50b51
Branch: master
src/include/kdb.h | 2 +-
src/kadmin/cli/kadmin.c | 49 ++-
src/kadmin/dbutil/dump.c | 29 +-
src/lib/kadm5/admin.h | 2 +-
src/lib/kadm5/srv/svr_policy.c | 11 -
src/lib/kadm5/srv/svr_principal.c | 229 ++++---------
.../kadm5/unit-test/api.current/crte-principal.exp | 4 +-
.../kadm5/unit-test/api.current/dlte-policy.exp | 5 +-
.../kadm5/unit-test/api.current/dlte-principal.exp | 76 ----
.../kadm5/unit-test/api.current/mod-principal.exp | 369 +-------------------
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 -
src/tests/dejagnu/krb-standalone/kadmin.exp | 3 +-
src/tests/kdbtest.c | 3 +-
13 files changed, 125 insertions(+), 664 deletions(-)