[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd crash



Kerberos library thread safety:

This is a really annoying problem. The Cyrus SASL library works around
Kerberos 4 libraries (by mutexing all accesses into them) because it's
expected that Kerberos 4 libraries aren't thread safe.

Kerberos 5 libraries are more complicated. At CMU we use the Heimdal
libraries (compiled with -D_REENTRANT) in threaded programs and have
had reasonable good luck with them, especially on the server side. (On
the client side the Heimdal implementation uses non-thread safe
resolver libraries; we've submitted a patch to them to deal with
this.)

Heimdal probably uses file locks for some things, and these will
obviously break in threaded applications. In practice, since replay
caches aren't used, I can't think of something that needs read/write
access in the server, so we're probably ok there. (On the client side,
a new ticket might have to be written to the ticket cache.)

It's my impression that the MIT implementation is slightly behind the
Heimdal implementation here, but since I've never gotten a good answer
on what to avoid or what to look at in the MIT code I really don't
have any good clues.

Since we've had good luck with the Heimdal libraries, the Cyrus
libsasl implementation does NOT mutex krb5 library calls. If someone
knows that the MIT library can't even be used in a server context, we
can add mutexes when configure detects the MIT library. (If anyone is
knowledgeable about this, please send mail to cyrus-bugs.)

Larry

   The Exact Crash that I saw was caused by the errno struct changing
   between threaded and non threaded applications. According to the
   people working on the mit Kerberos library, The library is not
   thread safe, As it uses static variables that are shared across
   contexts, and it does file locking which is done on a per process
   basis, and they do not make sure that all the C library calls that
   they make are thread safe.  Compiling the library with the
   _REENTERANT[1] is not a fix supplied by the MIT Folks it is one of
   the changes that will need to be made as the library becomes thread
   safe on the Solaris platform. (The Define controlls the contents of
   certan header files) I am positive that this does not fix all the
   threading issues it just fixes the "Obvious" one. This is more a
   documentation issue then anything else and If you want I can
   contribute back what I learn on my search for a thread safe version
   of a kerberos library :-) Thanks Glenn [1] The exact spelling of
   this flag is questionable when I am away from my notes.  ----
   original message ------>> -----Original Message-----