From: Jeffrey Altman Date: Thu, 7 Jun 2012 13:27:00 +0000 (-0400) Subject: Windows: handle KRB5KRB_AP_ERR_REPEAT errors X-Git-Tag: upstream/1.6.2_pre2^2~11 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=9b63f04eff7fe5b0b963172fa4b5b8e1522c999e;p=packages%2Fo%2Fopenafs.git Windows: handle KRB5KRB_AP_ERR_REPEAT errors This patchset adds logic to handle a KRB5KRB_AP_ERR_REPEAT error sent by a KDC for the Windows aklog and the afskfw library. The KRB5KRB_AP_ERR_REPEAT is sent when the KDC detects a replay. However, the KDC replay detection is known to generate many false positives. If KRB5KRB_AP_ERR_REPEAT is received, wait one second and retry the request. This patchset does not apply to 'master' due to Kerberos Compatibility SDK conversion. Reviewed-on: http://gerrit.openafs.org/8772 Tested-by: BuildBot Reviewed-by: Jeffrey Altman (cherry picked from commit c23664aff7a78010ba462317087e84f7ae3c8518) Change-Id: I806a3ede5f0fa6794f3ccaf8f2d514b0c8443ec1 Reviewed-on: http://gerrit.openafs.org/8775 Tested-by: BuildBot Reviewed-by: Paul Smeddle Reviewed-by: Stephan Wiesand --- diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c index 00f72f294..11388b929 100644 --- a/src/WINNT/afsd/afskfw.c +++ b/src/WINNT/afsd/afskfw.c @@ -2170,15 +2170,20 @@ KFW_kinit( krb5_context alt_ctx, } } - code = pkrb5_get_init_creds_password(ctx, - &my_creds, - me, - password, // password - KRB5_prompter, // prompter - hParent, // prompter data - 0, // start time - 0, // service name - &options); + do { + code = pkrb5_get_init_creds_password(ctx, + &my_creds, + me, + password, // password + KRB5_prompter, // prompter + hParent, // prompter data + 0, // start time + 0, // service name + &options); + if (code == KRB5KRB_AP_ERR_REPEAT) + Sleep(1000); + } while(code == KRB5KRB_AP_ERR_REPEAT); + if (code) goto cleanup; @@ -3036,7 +3041,12 @@ KFW_AFS_klog( pkrb5_free_unparsed_name(ctx,sname); } - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + do { + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (code == KRB5KRB_AP_ERR_REPEAT) + Sleep(1000); + } while(code == KRB5KRB_AP_ERR_REPEAT); + if (code == 0) { /* The client's realm is a local realm for the cell. * Save it so that later the pts registration will not @@ -3076,8 +3086,13 @@ KFW_AFS_klog( pkrb5_free_unparsed_name(ctx,sname); } - if (!code) - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (!code) { + do { + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (code == KRB5KRB_AP_ERR_REPEAT) + Sleep(1000); + } while(code == KRB5KRB_AP_ERR_REPEAT); + } if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || code == KRB5_ERR_HOST_REALM_UNKNOWN || @@ -3106,8 +3121,13 @@ KFW_AFS_klog( pkrb5_free_unparsed_name(ctx,sname); } - if (!code) - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (!code) { + do { + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (code == KRB5KRB_AP_ERR_REPEAT) + Sleep(1000); + } while(code == KRB5KRB_AP_ERR_REPEAT); + } } if (code == 0) { @@ -3140,9 +3160,13 @@ KFW_AFS_klog( pkrb5_free_unparsed_name(ctx,sname); } - if (!code) - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); - + if (!code) { + do { + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (code == KRB5KRB_AP_ERR_REPEAT) + Sleep(1000); + } while(code == KRB5KRB_AP_ERR_REPEAT); + } if (!code && !strlen(realm_of_cell)) copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds); } @@ -3174,8 +3198,14 @@ KFW_AFS_klog( pkrb5_free_unparsed_name(ctx,sname); } - if (!code) - code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (!code) { + do { + code = pkrb5_get_credentials(ctx, 0, cc, &increds, &k5creds); + if (code == KRB5KRB_AP_ERR_REPEAT) + Sleep(1000); + } while(code == KRB5KRB_AP_ERR_REPEAT); + } + if (!code && !strlen(realm_of_cell)) copy_realm_of_ticket(ctx, realm_of_cell, sizeof(realm_of_cell), k5creds); } diff --git a/src/WINNT/aklog/aklog.c b/src/WINNT/aklog/aklog.c index d9b4fc10d..f1a50311f 100644 --- a/src/WINNT/aklog/aklog.c +++ b/src/WINNT/aklog/aklog.c @@ -514,7 +514,12 @@ static int get_v5cred(krb5_context context, /* Ask for DES since that is what V4 understands */ increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds); + do { + r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds); + if (r == KRB5KRB_AP_ERR_REPEAT) + Sleep(1000); + } while(r == KRB5KRB_AP_ERR_REPEAT); + if (r) { return((int)r); }