[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible message multiplexing problem

To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>
Subject: Re: Possible message multiplexing problem
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 23 Jun 2008 08:49:43 -0700
In-Reply-To: <20080622180610.388d453d.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <20080622180610.388d453d.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Jun 22, 2008, at 3:06 PM, Michael B Allen wrote:

> Hi,
>
> How does Heimdal match up responses with requests?
>
> Doesn't there have to be some kind of multiplex ID?
>
> I added a DNS cache and now my multi-process tourture-test is giving  
> me
> a very occasional errors from gss_acquire_cred:
>
> GSS_S_FAILURE: Additional pre-authentication required
>
> Looking at a capture around the point of failure I see the following:
>
> ...
> TGS-REQ
> TGS-REP
> AS-REQ (nonce: 2261734593)
> AS-REQ (nonce: 2261734593)
> KRB-ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REQ (nonce: 2261734593 + preauth)
> KRB-ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED
> AS-REP
> AS-REQ (nonce: 2260112736)
> KRB-ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED
> ...
>
> Note there are multiple processes issuing requests from the same  
> source
> port [1].
>
> Natrually MS returns KRB5KDC_ERR_PREAUTH_REQUIRED initially because
> no preauth was supplied. That is normal. But it seems without the DNS
> lookups things happen fast enough that two AS-REQs make it out within
> 1/10th of a millisecond and AFAICT they are identical including the  
> nonce.
>
> So I have to wonder if the client is interpreting the second
> KRB5KDC_ERR_PREAUTH_REQUIRED as the response to the retried AS-REQ of
> the first process when in reality it was actually the response to the
> AS-REQ of the second process.
>
> Can anyone concur or refute what is happening here?
>
> Mike
>
> [1] I suppose if the Kerberos library was not initialized until after
> workers were forked the source port would be different.

I'm not clear that it's possible to do the matchup like I think you  
want.  I thought the multi-thread model was that every thread that  
wanted to do Kerberos needed its own context.

> -- 
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/

Follow-Ups:
- Re: Possible message multiplexing problem
  - From: Michael B Allen <miallen@ioplex.com>

References:
- Possible message multiplexing problem
  - From: Michael B Allen <miallen@ioplex.com>

Prev by Date: No Subject
Next by Date: Re: Possible message multiplexing problem
Prev by thread: Possible message multiplexing problem
Next by thread: Re: Possible message multiplexing problem
Index(es):
- Date
- Thread