A few weeks ago I contributed fixes for a couple of locking-related bugs in the MIT Kerberos KDC. There are three cases where these bugs can result in neither kadmind nor kadmin.local, nor any kadm5srv API consumer being able to write to the KDB, two of which affect the master KDC:
1) Any races between krb5kdc and kdb5util load. This affects slave KDCs since 1.5 (loads happen as part of kprop). 2) Any races between krb5kdc and kadmind or kadmin.local addpol/modpol/delpol commands. This affects master KDCs since 1.5. 3) Any races between multi-process krb5kdc and account lockout checking. This affects master and slave KDCs since, IIRC, 1.10. None of these affect the KDC with the LDAP backend. (3) is particularly painful. To workaround this either disable account lockout policies or disable multi-process KDCs. To workaround (2) just restart krb5kdc around such operations. To workaround (1) just restart the KDC on slaves as needed (or after each full prop). Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
