Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6843127

krb5 should not try to access unavailable kdc too often

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P4
    • 7
    • 6, 7
    • security-libs
    • None
    • b79
    • generic, sparc
    • generic, solaris_10

    Backports

      Description

        Curently, AS-REQ acts like this:

          try {
             send AS-REQ and wait for AS-REP
          } catch (KRB-ERROR needs PREAUTH) {
             send AS-REQ with PREAUTH and wait for AS-REP
          }

        and the send-wait process looks like:

          for (all KDCs configed) {
             for (try 3 times) {
                try {
                   send AS-REQ and wait for AS-REP
                   return
                } catch (IOError) {
                   continue
                }
             }
          }

        The two processes are independent, which means when the first configured KDC is not accessible anymore, something like this is performed:

          1. Send AS-REQ to KDC1
          2. Send AS-REQ to KDC1
          3. Send AS-REQ to KDC1
          4. Send AS-REQ to KDC2
             KDC2 replies: KRB-ERROR needs PREAUTH
          5. Send AS-REQ with PREAUTH to KDC1
          6. Send AS-REQ with PREAUTH to KDC1
          7. Send AS-REQ with PREAUTH to KDC1
          8. Send AS-REQ with PREAUTH to KDC2
             KDC2 replies: AS-REP

        Here, request #5-#7 is a waste of time.

        Suggestion: maintaining a list of KDCs with the initial order according to config. When any of them is not accessible at run time, move it to the last place.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-2184130 krb5 should not try to access unavailable kdc too often

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-6976536 Solaris JREs do not have the krb5.kdc.bad.policy configured by default.

            • P3 - Major loss of function.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-2197175 Solaris JREs do not have the krb5.kdc.bad.policy configured by default.

            • P3 - Major loss of function.
            • Closed

            Activity

              People

                weijun Weijun Wang
                weijun Weijun Wang
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: