[31630] in Kerberos
Re: GSS-API errors
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Oct 29 13:00:30 2009
From: Greg Hudson <ghudson@mit.edu>
To: Mike Friedman <mikef@berkeley.edu>
In-Reply-To: <alpine.BSF.1.10.0910290928530.56573@brillig.security.berkeley.edu>
Date: Thu, 29 Oct 2009 13:00:07 -0400
Message-Id: <1256835607.5933.207.camel@ray>
Mime-Version: 1.0
Cc: MIT Kerberos Mailing List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 2009-10-29 at 12:37 -0400, Mike Friedman wrote:
> Any ideas about how, at least, to track down the cause of these particular
> errors? Is the mere attempt to make a couple of dozen or more kadmin
> connections per second likely to cause this problem?
You might be running into a replay cache issue. In krb5 1.6, the replay
cache keyed mostly off of the timestamp of the authenticator, which
could be the same if you make two connections in quick succession. In
1.7 we also key off a checksum of the encrypted authenticator, which is
very unlikely to collide because of the confounder.
As a workaround, it's possible to perform multiple operations within a
single connection. I don't know if Authen::Krb5::Admin allows that,
though.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
