krb5 ccache of MEMORY type

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5 ccache of MEMORY type

Roman Semenov

 
Hello Everyone.
I have a question regarding the subject:Is the krb5_ccahe thread safe at all when it's of type MEMORY?
 
Technical Background:Assuming I make a ldap_sasl_bind_interactive() bind to an MS AD Server.That call requires krb5 ccache to contain the TGS ticket required for the bind operation.I have multiple threads to handle the ldap requests. 

In every thread, I do check the cache if it contains the required TGS for the configured principal.If it doesn't, then I authenticate the user again and get a new TGS ticket for ldap service.Of course, every thread creates its own krb5_context to authenticate the user,but all the threads are using the same ccache object.
Everything works fine while krb5 FILE type of ccache is in use. ow I want to improve performance and switch to MEMORY type of ccache. And I start getting my app crashed intermittently.

That makes me think - is the krb5_ccahe thread safe at all when it's of type MEMORY?Should I have a global krb5_context associated with that cache in this scenario?

 
Thank you in advance,Roman
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5 ccache of MEMORY type

Greg Hudson
On 06/29/2018 03:04 PM, Roman Semenov wrote:
> I have a question regarding the subject:Is the krb5_ccahe thread safe at all when it's of type MEMORY?

Yes.  Memory ccache objects are internally locked, as is the global
table mapping names to memory caches.

> Everything works fine while krb5 FILE type of ccache is in use. ow I want to improve performance and switch to MEMORY type of ccache. And I start getting my app crashed intermittently.

I'm not currently aware of a memory ccache bug which would account for this.

> That makes me think - is the krb5_ccahe thread safe at all when it's of type MEMORY?Should I have a global krb5_context associated with that cache in this scenario?

No, it's fine to use the same memory ccache with different krb5_context
objects, and is preferrable in a multi-threaded program since
krb5_context objects are not themselves internally locked.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5 ccache of MEMORY type

Greg Hudson
On 06/29/2018 03:46 PM, Greg Hudson wrote:
>> Everything works fine while krb5 FILE type of ccache is in use. ow I want to improve performance and switch to MEMORY type of ccache. And I start getting my app crashed intermittently.
>
> I'm not currently aware of a memory ccache bug which would account for this.

Of course, as soon as I sent this I thought to search the bug database
and found this (my own bug report, which I had forgotten about):

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8202

which is "memory ccache cursors are invalidated by initialize".  Since
using a ccache to get tickets implicitly iterates over it, that bug
would account for the crashes you are seeing.  Destroying a memory
ccache also breaks other threads iterating over it.

You can possibly work around this bug by generating a new memory ccache
(with krb5_cc_new_unique()) each time you want to initialize one, and
keeping track of the current ccache name or handle yourself.  You would
have to be careful about destroying old ones when another thread might
still be using them, so this might be more trouble than it's worth.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5 ccache of MEMORY type

Roman Semenov
Hello Greg,
Thank you so much for the response and the link to the existing bug
report. Now it makes sense.
Thanks again,
Roman

On 06/29/2018 12:54 PM, Greg Hudson wrote:

> On 06/29/2018 03:46 PM, Greg Hudson wrote:
>>> Everything works fine while krb5 FILE type of ccache is in use. ow I
>>> want to improve performance and switch to MEMORY type of ccache. And
>>> I start getting my app crashed intermittently.
>>
>> I'm not currently aware of a memory ccache bug which would account
>> for this.
>
> Of course, as soon as I sent this I thought to search the bug database
> and found this (my own bug report, which I had forgotten about):
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=8202
>
> which is "memory ccache cursors are invalidated by initialize". Since
> using a ccache to get tickets implicitly iterates over it, that bug
> would account for the crashes you are seeing.  Destroying a memory
> ccache also breaks other threads iterating over it.
>
> You can possibly work around this bug by generating a new memory
> ccache (with krb5_cc_new_unique()) each time you want to initialize
> one, and keeping track of the current ccache name or handle yourself. 
> You would have to be careful about destroying old ones when another
> thread might still be using them, so this might be more trouble than
> it's worth.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos