Windows: handle KRB5KRB_AP_ERR_REPEAT errors

This patchset adds logic to handle a KRB5KRB_AP_ERR_REPEAT error
sent by a KDC for the Windows aklog and the afskfw library.  The
KRB5KRB_AP_ERR_REPEAT is sent when the KDC detects a replay.
However, the KDC replay detection is known to generate many false
positives.  If KRB5KRB_AP_ERR_REPEAT is received, wait one second
and retry the request.

This patchset does not apply to 'master' due to Kerberos
Compatibility SDK conversion.

Reviewed-on: http://gerrit.openafs.org/8772
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(cherry picked from commit c23664aff7a78010ba462317087e84f7ae3c8518)

Change-Id: I806a3ede5f0fa6794f3ccaf8f2d514b0c8443ec1
Reviewed-on: http://gerrit.openafs.org/8775
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Paul Smeddle <paul.smeddle@gmail.com>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c
index 00f72f294df4ecdf4d2bfd3fc6221c1dc972d057..11388b92998f5a89ee92cf08478655c898adf350 100644 (file)
--- a/src/WINNT/afsd/afskfw.c
+++ b/src/WINNT/afsd/afskfw.c
@@ -2170,15 +2170,20 @@ KFW_kinit( krb5_context alt_ctx,
         }
     }
 
-    code = pkrb5_get_init_creds_password(ctx,
-                                       &my_creds,
-                                       me,
-                                       password, // password
-                                       KRB5_prompter, // prompter
-                                       hParent, // prompter data
-                                       0, // start time
-                                       0, // service name
-                                       &options);
+    do {
+        code = pkrb5_get_init_creds_password(ctx,
+                                              &my_creds,
+                                              me,
+                                              password, // password
+                                              KRB5_prompter, // prompter
+                                              hParent, // prompter data
+                                              0, // start time
+                                              0, // service name
+                                              &options);
+        if (code == KRB5KRB_AP_ERR_REPEAT)
+            Sleep(1000);
+    } while(code == KRB5KRB_AP_ERR_REPEAT);
+
     if (code)
        goto cleanup;
 
@@ -3036,7 +3041,12 @@ KFW_AFS_klog(
             pkrb5_free_unparsed_name(ctx,sname);
         }
 
-        code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+        do {
+            code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+            if (code == KRB5KRB_AP_ERR_REPEAT)
+                Sleep(1000);
+        } while(code == KRB5KRB_AP_ERR_REPEAT);
+
         if (code == 0) {
             /* The client's realm is a local realm for the cell.
             * Save it so that later the pts registration will not
@@ -3076,8 +3086,13 @@ KFW_AFS_klog(
                     pkrb5_free_unparsed_name(ctx,sname);
                 }
 
-                if (!code)
-                    code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+                if (!code) {
+                    do {
+                        code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+                        if (code == KRB5KRB_AP_ERR_REPEAT)
+                            Sleep(1000);
+                    } while(code == KRB5KRB_AP_ERR_REPEAT);
+                }
 
                 if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ||
                     code == KRB5_ERR_HOST_REALM_UNKNOWN ||
@@ -3106,8 +3121,13 @@ KFW_AFS_klog(
                         pkrb5_free_unparsed_name(ctx,sname);
                     }
 
-                    if (!code)
-                        code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+                    if (!code) {
+                        do {
+                            code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+                            if (code == KRB5KRB_AP_ERR_REPEAT)
+                                Sleep(1000);
+                        } while(code == KRB5KRB_AP_ERR_REPEAT);
+                    }
                 }
 
                 if (code == 0) {
@@ -3140,9 +3160,13 @@ KFW_AFS_klog(
                         pkrb5_free_unparsed_name(ctx,sname);
                     }
 
-                    if (!code)
-                        code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
-
+                    if (!code) {
+                        do {
+                            code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+                            if (code == KRB5KRB_AP_ERR_REPEAT)
+                                Sleep(1000);
+                        } while(code == KRB5KRB_AP_ERR_REPEAT);
+                    }
                     if (!code && !strlen(realm_of_cell))
                         copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds);
                 }
@@ -3174,8 +3198,14 @@ KFW_AFS_klog(
                         pkrb5_free_unparsed_name(ctx,sname);
                     }
 
-                    if (!code)
-                        code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+                    if (!code) {
+                        do {
+                            code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds);
+                            if (code == KRB5KRB_AP_ERR_REPEAT)
+                                Sleep(1000);
+                        } while(code == KRB5KRB_AP_ERR_REPEAT);
+                    }
+
                     if (!code && !strlen(realm_of_cell))
                         copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds);
                 }

diff --git a/src/WINNT/aklog/aklog.c b/src/WINNT/aklog/aklog.c
index d9b4fc10d5010b0dd50c02b5631a4489b7e3f31e..f1a50311f38ebb8610ed3c9f9d16aa6dbf7bf08a 100644 (file)
--- a/src/WINNT/aklog/aklog.c
+++ b/src/WINNT/aklog/aklog.c
@@ -514,7 +514,12 @@ static int get_v5cred(krb5_context context,
        /* Ask for DES since that is what V4 understands */
     increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
 
-    r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
+    do {
+        r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
+        if (r == KRB5KRB_AP_ERR_REPEAT)
+            Sleep(1000);
+    } while(r == KRB5KRB_AP_ERR_REPEAT);
+
     if (r) {
         return((int)r);
     }