[2806] in Kerberos
Re: [tad1@cornell.edu (Tom Dimock): Kerberos and/or Jeff Schiller]
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Sep 10 16:51:38 1993
Date: Fri, 10 Sep 93 16:34:15 EDT
From: tytso@Athena.MIT.EDU (Theodore Ts'o)
To: tytso@Athena.MIT.EDU
Cc: tad1@cornell.edu, tjm@Athena.MIT.EDU
Cc: kerberos@Athena.MIT.EDU, jdaly@Athena.MIT.EDU
In-Reply-To: Theodore Ts'o's message of Thu, 9 Sep 93 14:06:27 EDT,
Date: Wed, 8 Sep 1993 15:51:25 -0400
To: tjm@EAGLE.MIT.EDU
From: tad1@cornell.edu (Tom Dimock)
We've been getting stories back from other potential Mandarin sites that
they can't use Kerberos because it is limited to <= 32000 principals and
they have more than that many students. Is this really a limit? If you
don't know the answer offhand, could you give me an E-mail address for
Schiller or someone else who can give me an authoritative answer?
Thanks!
I've been racking my brains, trying to figure out where this story could
have started from (since it's not true), and since this story keeps
coming up again and again and again. Finally, I think I've figured out
where it's coming from.
The answer is that under DecAthena(tm), you can only have 32,000
accounts. But this limitation has nothing to do with Kerberos, but with
the allowable range of user uid's that can be used under Ultrix.
There's actually a rather stupid bug associated with this limitation ---
for some strange reason, if you call setuid(x) where x > 32,000, setuid
will return EINVAL. Silly, eh? Why 32,000, and not 32,767? My
personal suspicion is that some DEC architect specified that setuid
should return EINVAL if it was greater than 32k, and the programmer who
actually implemented the said specifications took "32k" to mean
"thirty-two thousand, base 10".
This can actually cause a security hole, if your xlogin program doesn't
check the return value of setuid() --- after all, on most systems
setuid() will never return an error if you're running as root. This is
because after setuid(32001) returns with an error, the uid of the
process is still 0 (root). If xlogin doesn't notice the error, the user
who logs in as uid 32001 actually gets logged in as root!
So the limitation of 32,000 accounts under DecAthena is a Ultrix
limitation, based on the uid space --- NOT a limitation based on the
Kerberos database size. As I have already explained to Tom, any
limitation to the number of users which a KDC can handle is dependent on
what sort of database you use to support the Kerberos database. The
implementation which we distribute from MIT uses the standard Unix dbm
interface. Perhaps some Unix vendor's DBM is so broken that it can only
support 32,000 entries, or some other upper limit. However, there are
several good implementations of the DBM interface which you could use if
you did run into such difficulties.
Anyway, I hope this sets the record straight; Barry, perhaps you could
add this to the Kerberos FAQ?
- Ted
