[20525] in Kerberos_V5_Development
Re: is krb5_cc_initialize() thread safe
daemon@ATHENA.MIT.EDU (Ken Hornstein via krbdev)
Thu Feb 20 22:26:06 2025
Message-Id: <202502210325.51L3PdlO004564@hedwig.cmf.nrl.navy.mil>
To: Olga Kornievskaia <aglo@umich.edu>
cc: krbdev@mit.edu
In-Reply-To: <CAN-5tyF+RQjCdqHbg_kuv7L53_kRufmQMv5gUr2ji1QcmdVQyg@mail.gmail.com>
MIME-Version: 1.0
Date: Thu, 20 Feb 2025 22:25:39 -0500
From: Ken Hornstein via krbdev <krbdev@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>> Greg does bring up the larger meta-issue that you're apparantly trying
>> to have two threads call krb5_cc_initiualize() on the same FILE
>> credential cache; what, exactly, are you trying to accomplish there?
>
>NFS gssd service is multithreaded (has been for a while now). And at
>some point we've allowed multiple upcalls for the same UID (leading to
>the upcalls looking/working on the same credential cache) and thus the
>problem that krb5_cc_initialize() is called by 2 threads. It was
>assumed that kerberos libraries are "thread-safe".
I think you're missing Greg's point; krb5_cc_initialize() wipes out the
credential cache completely and makes it non-usable. That's what he
meant by it being thread safe but not concurrency safe. If one upcall
stored credentials another thread would wipe those out with a call to
krb5_cc_initialize(). I'm unclear what exactly you expect to happen
in this situation.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
