[PATCH] heimdal - avoid an endless loop when KDC replies KRB5KDC_ERR_SVC_UNAVAILABLE

Uri Simchoni urisimchoni at gmail.com
Mon Jun 15 14:07:02 MDT 2015

This is a fix to heimdal code.
We've seen that if samba is making a Kerberos request via Heimdal to a
KDC, and the KDC
replies with KRB5KDC_ERR_SVC_UNAVAILABLE, then Heimdal enters an endless loop.

This happened in a customer site when sending an AS request for a
specific user (we still don't know the reason for that) and I also
encountered it in the lab working against a DC VM that ran on an
overly-crowded hypervisor, but have not been able so far to reproduce
it reliably (of course with samba I can just tweak the KDC into
returning this :)).

The upstream version of Heimdal, according to my best judgement (but
not testing), does not have this bug. However the code there is vastly
different, so I figured an independent fix is in order, and that it
cannot wait for a future heimdal merge.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: endless.patch
Type: application/octet-stream
Size: 2532 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150615/21b4d3de/attachment.obj>

More information about the samba-technical mailing list