Hi, My name is Neng. I am a college hire working for Oracle Solaris Security Team. Currently I am re-investigating and trying to understand old Solaris Kerberos bug fixs to see whether they are still applicable to latest MIT kerberos code(for our MIT drop-in project). One of them is the bug fix for "*kadm applications can not refresh their credentials once they've expired*"
The bug description is as following: =============================================== The kadmin client applications, such as kadmin and kpropd do not have a proper mechanism for freshing credentials. Where refresh in the since of either recreating the credentials or renewing an existing one. kadmin clients use a different credentials store (/tmp/ovsec_adm.XXXXXX) rather than the default credential store as with root and host pricipals (/tmp/krb5cc_0). The routines that already renew credentials are currently restricted to host or root princs via get_default_cred() and the like. Currently this causes failure for kpropd. Since clnt_vc() calls are not refreshing properly nor is it returning error. Therefore kpropd thinks that it's getting an update with a sno value of 0. During the next poll kpropd sends a sno of 0 and the master has a value > 0. Therefore the master says that kpropd needs a full-resync. The slave requests a full-resync and gets one. This will have a performance hit on the slave every 8 hours. =============================================== The bug fix modified three files: *clnt_door.c*, *clnt_dg.c* and *clnt_vc.c* in rpc library which I did not see in latest MIT kerberos repo. But there are similar code pieces appeared in *clnt_udp.c*. So my question is that are the lastest MIT kerberos code still suffered from this bug? Or how can I judge whether the bug fix is still applicable? Thanks a lot in advance! Best, Neng ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos