On Wed, Aug 17, 2005 at 12:07:40PM +0000, Jeffrey Altman wrote: > Chet Burgess wrote: > > > It is important to note that even if you have the > > REALM and KDC(s) listed in the file properly the library will still > > try DNS first, so you MUST add "dns_fallback = false" to turn off the > > resolver calls. > > I am fairly sure that DNS is not used in preference to the configuration > data in the krb5.conf file. However, the library probably calls the > resolver library init routine prior to making a request.
The res_ninit() call and the subsequent calls for the DNS records are made in the krb5int_dns_init function found at src/lib/krb5/os. The res_ninit() call is made for every lookup. As for the DNS vs. config file variable, I had a proper krb5.conf file that listed the REALM and the KDCs, untill I added "dns_fallback = false" to the config file it would always try DNS then look at the config file. > Are you suggesting that calling res_init() repeatedly from the same > thread results in a memory leak? Suggesting? I guess I was not clear, calling res_ninit() more than once will result in a memory leak on Solaris (and on Linux, though I have not tested this). Neither Solaris (or Linux) make available a function to free the memory allocated to a resolver state by res_ninit(). Other flavors of Unix have a function called res_ndestroy() for just this sort of thing. In fact Solaris has this function but it is marked as local in the library so you cannot link against it. [EMAIL PROTECTED]:> nm /usr/lib/libresolv.so | grep res_ndestroy [200] | 194936| 60|FUNC |LOCL |0 |9 |res_ndestroy The kerberos developers in fact seem to know/understand this as they have a report of this problem on the krb5-bugs mailing list (http://mailman.mit.edu/pipermail/krb5-bugs/2005-January/003549.html). Below is a simple example program that exploits this problem. #include <stdio.h> #include <string.h> #include <resolv.h> int main(int argc, char **argv) { struct __res_state statbuf; int ret = 0; while (1) { ret = res_ninit(&statbuf); if (ret != 0) printf("Init error!\n"); res_nclose(&statbuf); printf("Done!\n"); } } Compile with something like (this would be for a 64-bit version): cc -Iinclude -D_REENTRANT -KPIC -xarch=v9 -DUSE_64 -g -c -o resolvtest.o resolvtest.c cc -o resolvtest -Iinclude -D_REENTRANT -KPIC -xarch=v9 -DUSE_64 -g -lresolv -lsocket -lnsl resolvtest.o -- Chet Burgess Manager, Enterprise Collaboration Services Information Services Division University of Southern California [EMAIL PROTECTED] 213-740-5160 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos