[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible message multiplexing problem

To: heimdal-discuss@sics.se
Subject: Possible message multiplexing problem
From: Michael B Allen <miallen@ioplex.com>
Date: Sun, 22 Jun 2008 18:06:10 -0400
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

Hi,

How does Heimdal match up responses with requests?

Doesn't there have to be some kind of multiplex ID?

I added a DNS cache and now my multi-process tourture-test is giving me
a very occasional errors from gss_acquire_cred:

  GSS_S_FAILURE: Additional pre-authentication required

Looking at a capture around the point of failure I see the following:

  ...
  TGS-REQ
  TGS-REP
  AS-REQ (nonce: 2261734593)
  AS-REQ (nonce: 2261734593)
  KRB-ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED
  AS-REQ (nonce: 2261734593 + preauth)
  KRB-ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED
  AS-REP
  AS-REQ (nonce: 2260112736)
  KRB-ERROR: KRB5KDC_ERR_PREAUTH_REQUIRED
  ...

Note there are multiple processes issuing requests from the same source
port [1].

Natrually MS returns KRB5KDC_ERR_PREAUTH_REQUIRED initially because
no preauth was supplied. That is normal. But it seems without the DNS
lookups things happen fast enough that two AS-REQs make it out within
1/10th of a millisecond and AFAICT they are identical including the nonce.

So I have to wonder if the client is interpreting the second
KRB5KDC_ERR_PREAUTH_REQUIRED as the response to the retried AS-REQ of
the first process when in reality it was actually the response to the
AS-REQ of the second process.

Can anyone concur or refute what is happening here?

Mike

[1] I suppose if the Kerberos library was not initialized until after
workers were forked the source port would be different.

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Follow-Ups:
- Re: Possible message multiplexing problem
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Possible message multiplexing problem
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: LUCKY WINNER
Next by Date: Notification Department (Ms Cynthia Chalker from Canada)
Prev by thread: LUCKY WINNER
Next by thread: Re: Possible message multiplexing problem
Index(es):
- Date
- Thread