[27012] in CVS-changelog-for-Kerberos-V5
krb5 commit: Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Sep 12 15:03:34 2012
Date: Wed, 12 Sep 2012 15:03:29 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201209121903.q8CJ3ToV014387@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/9e182bcee06362de1dd0aa6a6bc71929c7543600
commit 9e182bcee06362de1dd0aa6a6bc71929c7543600
Author: Nicolas Williams <nico@cryptonector.com>
Date: Tue Sep 11 21:32:28 2012 -0500
Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc
The KDC should not return KRB5KRB_ERR_GENERIC (KRB_ERR_GENERIC) when the
KDB plugin returns KRB5_KDB_CANTLOCK_DB: it should return
KRB5KDC_ERR_SVC_UNAVAILABLE (KDC_ERR_SVC_UNAVAILABLE) instead. This
allows clients to immediately fallback onto other KDCs.
When we switch to using blocking locks in the db2 KDB backend we'll very
rarely hit this code path, perhaps only when racing against a kdb5_util load.
Other KDB backends might still return KRB5_KDB_CANTLOCK_DB often enough that
this change is desirable.
ticket: 7358 (new)
src/kdc/do_as_req.c | 4 ++++
src/kdc/do_tgs_req.c | 4 ++++
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 363d3ab..81db767 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -539,6 +539,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
errcode = krb5_db_get_principal(kdc_context, state->request->client,
state->c_flags, &state->client);
+ if (errcode == KRB5_KDB_CANTLOCK_DB)
+ errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "CLIENT_NOT_FOUND";
if (vague_errors)
@@ -570,6 +572,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
}
errcode = krb5_db_get_principal(kdc_context, state->request->server,
s_flags, &state->server);
+ if (errcode == KRB5_KDB_CANTLOCK_DB)
+ errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "SERVER_NOT_FOUND";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 56d9869..e9cb421 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -215,6 +215,8 @@ ref_tgt_again:
errcode = krb5_db_get_principal(kdc_context, request->server,
s_flags, &server);
+ if (errcode == KRB5_KDB_CANTLOCK_DB)
+ errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode && errcode != KRB5_KDB_NOENTRY) {
status = "LOOKING_UP_SERVER";
goto cleanup;
@@ -1078,6 +1080,8 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr)
krb5_princ_set_realm(kdc_context, *pl2,
krb5_princ_realm(kdc_context, tgs_server));
retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server);
+ if (retval == KRB5_KDB_CANTLOCK_DB)
+ retval = KRB5KDC_ERR_SVC_UNAVAILABLE;
krb5_princ_set_realm(kdc_context, *pl2, &tmp);
if (retval == KRB5_KDB_NOENTRY)
continue;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
