[PATCH] heimdal - avoid an endless loop when KDC replies KRB5KDC_ERR_SVC_UNAVAILABLE

Alexander Bokovoy ab at samba.org
Mon Jun 15 14:31:33 MDT 2015

On Mon, Jun 15, 2015 at 11:07:02PM +0300, Uri Simchoni wrote:
> This is a fix to heimdal code.
> We've seen that if samba is making a Kerberos request via Heimdal to a
> KDC, and the KDC
> replies with KRB5KDC_ERR_SVC_UNAVAILABLE, then Heimdal enters an endless loop.
> This happened in a customer site when sending an AS request for a
> specific user (we still don't know the reason for that) and I also
> encountered it in the lab working against a DC VM that ran on an
> overly-crowded hypervisor, but have not been able so far to reproduce
> it reliably (of course with samba I can just tweak the KDC into
> returning this :)).
> The upstream version of Heimdal, according to my best judgement (but
> not testing), does not have this bug. However the code there is vastly
> different, so I figured an independent fix is in order, and that it
> cannot wait for a future heimdal merge.
One issue I have with this change is that this chunk changes logic:

--- a/source4/heimdal/lib/krb5/send_to_kdc.c
+++ b/source4/heimdal/lib/krb5/send_to_kdc.c
@@ -375,7 +375,7 @@ krb5_sendto (krb5_context context,


-     for (i = 0; i < context->max_retries; ++i) {
+     while (!krb5_krbhst_retry_exceeded(context, handle)) {
         krb5_krbhst_info *hi;

         while (krb5_krbhst_next(context, handle, &hi) == 0) {

Now a failure to send a single element of the history will break out and
leave other potentially not yet delivered history elements and will
never send them as long as this unlucky history element is in queue.

/ Alexander Bokovoy

More information about the samba-technical mailing list