any hidden dependency for krb5_context?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

any hidden dependency for krb5_context?

Bin Lu
Hi,

I am doing something like this:

Initialize several krb5_context in one thread and put it in a global (pool) structure, then other threads get krb5_context from the pool and do the real work.

I noticed that the krb5_context objects work fine in the thread where they are initialized, but when they are used in other threads, they don't (error code: KRB5_REALM_CANT_RESOLVE). I thought the realm should have been resolved during krb5_init_context() from env("KRB5_CONFIG"). so my question is does a krb5_context object rely on any hidden settings ?

Thanks,
-binlu
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any hidden dependency for krb5_context?

Greg Hudson
On 06/16/2014 06:57 PM, Bin Lu wrote:
> Initialize several krb5_context in one thread and put it in a global (pool) structure, then other threads get krb5_context from the pool and do the real work.

This ought to work, as long as you don't use the same krb5_context in
multiple threads at the same time.  I don't have any guesses as to why
you would be getting KRB5_REALM_CANT_RESOLVE when using a context in a
different thread from the one it was initialized in.

> I thought the realm should have been resolved during krb5_init_context() from env("KRB5_CONFIG").

The profile is read at krb5_init_context time, and is queried when we
actually need to send a message to the KDC.  But that should work from
any thread.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: any hidden dependency for krb5_context?

Bin Lu
Hi Greg,

I am calling krb5_get_init_creds_password() in my app. In failure case it times out in about 40 seconds. The krb5_context objects (address) are the same in 2 threads. Is there any value in the object that could cause the difference in behavior? In both cases, they seem to go through the same route krb5_sendto_kdc()->krb5_locate_kdc() ->krb5int_locate_server() ->prof_locate_server() ->krb5_locate_srv_conf_1() ->profile_get_values().

Seems it's using "realms", <default realm> as host, "kdc" as the input to profile_get_values(). I am not sure if it is getting the kdc from the configuration file in the initial thread, while in other threads it's trying DNS lookup for the kdc host with the default realm ?

Any input will be greatly appreciated.

-binlu

-----Original Message-----
From: Greg Hudson [mailto:[hidden email]]
Sent: Tuesday, June 17, 2014 10:00 AM
To: Bin Lu; [hidden email]
Subject: Re: any hidden dependency for krb5_context?

On 06/16/2014 06:57 PM, Bin Lu wrote:
> Initialize several krb5_context in one thread and put it in a global (pool) structure, then other threads get krb5_context from the pool and do the real work.

This ought to work, as long as you don't use the same krb5_context in multiple threads at the same time.  I don't have any guesses as to why you would be getting KRB5_REALM_CANT_RESOLVE when using a context in a different thread from the one it was initialized in.

> I thought the realm should have been resolved during krb5_init_context() from env("KRB5_CONFIG").

The profile is read at krb5_init_context time, and is queried when we actually need to send a message to the KDC.  But that should work from any thread.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: any hidden dependency for krb5_context?

Bin Lu
Hi Greg,

I just noticed that in the profile structure of the krb5_context object, it contains the profile filename instead of the content. And I tested if I do not remove the configuration file, it works too in other threads.

But this is not what I want as we might have multiple krb5_context objects with different config files. How can I enforce krb5_init_context() to save the content of the profile, not just the file name?

Thanks,
-binlu

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bin Lu
Sent: Tuesday, June 17, 2014 11:53 AM
To: Greg Hudson; [hidden email]
Subject: RE: any hidden dependency for krb5_context?

Hi Greg,

I am calling krb5_get_init_creds_password() in my app. In failure case it times out in about 40 seconds. The krb5_context objects (address) are the same in 2 threads. Is there any value in the object that could cause the difference in behavior? In both cases, they seem to go through the same route krb5_sendto_kdc()->krb5_locate_kdc() ->krb5int_locate_server() ->prof_locate_server() ->krb5_locate_srv_conf_1() ->profile_get_values().

Seems it's using "realms", <default realm> as host, "kdc" as the input to profile_get_values(). I am not sure if it is getting the kdc from the configuration file in the initial thread, while in other threads it's trying DNS lookup for the kdc host with the default realm ?

Any input will be greatly appreciated.

-binlu

-----Original Message-----
From: Greg Hudson [mailto:[hidden email]]
Sent: Tuesday, June 17, 2014 10:00 AM
To: Bin Lu; [hidden email]
Subject: Re: any hidden dependency for krb5_context?

On 06/16/2014 06:57 PM, Bin Lu wrote:
> Initialize several krb5_context in one thread and put it in a global (pool) structure, then other threads get krb5_context from the pool and do the real work.

This ought to work, as long as you don't use the same krb5_context in multiple threads at the same time.  I don't have any guesses as to why you would be getting KRB5_REALM_CANT_RESOLVE when using a context in a different thread from the one it was initialized in.

> I thought the realm should have been resolved during krb5_init_context() from env("KRB5_CONFIG").

The profile is read at krb5_init_context time, and is queried when we actually need to send a message to the KDC.  But that should work from any thread.

_______________________________________________
krbdev mailing list             [hidden email]
https://urldefense.proofpoint.com/v1/url?u=https://mailman.mit.edu/mailman/listinfo/krbdev&k=tA6TlBY8qGT5vn7CslHigA%3D%3D%0A&r=6r5%2FjJEegECWt%2FHbTRRPSD83SmIJ0CMxl6rMDYmTvAk%3D%0A&m=V4ASVu4P%2BhQeAXWdIEoBQBXSe00JF6iGEss4t8jkjks%3D%0A&s=7f797e019c646a41badbb0c4a8eb6ec0d3fef1e24128b6f8741917cde108b698

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: any hidden dependency for krb5_context?

Greg Hudson
Apologies for the slow response.

On 06/17/2014 03:16 PM, Bin Lu wrote:
> I just noticed that in the profile structure of the krb5_context object, it contains the profile filename instead of the content. And I tested if I do not remove the configuration file, it works too in other threads.

The filename and content are both saved.  We re-read the file if we
detect that it changed; I guess if the file goes away, we might discard
the contents.

> But this is not what I want as we might have multiple krb5_context objects with different config files. How can I enforce krb5_init_context() to save the content of the profile, not just the file name?

In krb5 1.10 we added the ability to create profile objects using a
vtable of callbacks:

http://web.mit.edu/kerberos/krb5-latest/doc/plugindev/profile.html
http://k5wiki.kerberos.org/wiki/Projects/Pluggable_configuration

You can then use krb5_init_context_profile to use the created profile
object.

There are a couple of enhancements we'd like to have, but haven't yet
implemented:

* The ability to create an empty profile (not backed by any file) and
just set values in it.

* The ability to make GSSAPI use a designated krb5_context so that a
context created using a specified profile object can be used with GSSAPI.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev