Hi Aaron, Sorry for the late reponse to this thread (I'm catching up on backlogged mail).
I'm not sure if you got any volunteers, but we'd be very interested in testing this out (with MIT krb5 at least). Thanks for doing this work. --Shumon. On Fri, Jan 11, 2013 at 05:19:42PM +0000, Arran Cudbard-Bell wrote: > (apologies for those on netman, this should have gone to wireless-lan > originally) > > Hi All, > > A while back there was some discussion about the current krb5 module in > FreeRADIUS being single threaded, and that it may no longer be necessary for > it to be single threaded. > > It transpires that both MIT and Heimdal libraries are now thread safe, MIT > since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 > (documentation is fuzzy). > > I can't test beyond compiling the code against the kerberos library, and > maybe setting up a test KDC/TGS. But for this to be put into the stable > branch it really needs to be tested under load, against a range of keberos > implementations. > > Were looking for volunteers, preferably a mix of deployments using either MIT > or Heimdal. The new module should just drop in for any v2.1.x deployment once > compiled, as it doesn't use any new core API functions. > > Change list: > * Both - Check that krb5 library was compiled with threading support on > startup. > * Both - Clone context on each request to ensure thread safety. > * Both - Move service principal parsing so it's done at intialisation > only (instead of on every request). > * Both - Improved return codes, will now reflect revoked > access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as > well as bad password (REJECT), and other errors (FAIL). Before the module > returned REJECT for almost everything. > * Both - Mark module as thread safe, config check safe (will be > validated on -C), and hup safe (config will be reloaded on SIGHUP) > * Both - Switch more messages to use RDEBUG so they'll be printed in > conditional debug (useful for production servers with radmin enabled). > * MIT - Move service principal string to service principal conversion > so that it's done at initialisation only (instead of on every request). > * MIT - Move options configuration so they're done at initialisation > only (instead of on every request). > * MIT - Switch to using krb5_get_init_creds_password and > krb5_verify_init_creds to validate TGT instead of old twisty logic. > * MIT - Cache option removed as krb5_verify_init_creds disables the > replay cache on its own. > > For those wanting to test: > git clone [email protected]:arr2036/freeradius-server.git > cd freeradius-server > git checkout threaded_krb5 > > Report issues on: http://bugs.freeradius.org, and send feedback to either the > list or me directly. > > Thanks, > Arran > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > -- Shumon Huque University of Pennsylvania. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
