diff options
| author | Nicolas Williams <nico@cryptonector.com> | 2012-09-11 21:32:28 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-09-12 14:48:41 -0400 |
| commit | 9e182bcee06362de1dd0aa6a6bc71929c7543600 (patch) | |
| tree | e1e09ef231e529bbf28a3a35761737758b60a8a8 /src | |
| parent | 4ab584c830024757cc628b1783dde6220a9fec6d (diff) | |
| download | krb5-9e182bcee06362de1dd0aa6a6bc71929c7543600.tar.gz krb5-9e182bcee06362de1dd0aa6a6bc71929c7543600.tar.xz krb5-9e182bcee06362de1dd0aa6a6bc71929c7543600.zip | |
Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc
The KDC should not return KRB5KRB_ERR_GENERIC (KRB_ERR_GENERIC) when the
KDB plugin returns KRB5_KDB_CANTLOCK_DB: it should return
KRB5KDC_ERR_SVC_UNAVAILABLE (KDC_ERR_SVC_UNAVAILABLE) instead. This
allows clients to immediately fallback onto other KDCs.
When we switch to using blocking locks in the db2 KDB backend we'll very
rarely hit this code path, perhaps only when racing against a kdb5_util load.
Other KDB backends might still return KRB5_KDB_CANTLOCK_DB often enough that
this change is desirable.
ticket: 7358 (new)
Diffstat (limited to 'src')
| -rw-r--r-- | src/kdc/do_as_req.c | 4 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 363d3ab95f..81db767566 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -539,6 +539,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } errcode = krb5_db_get_principal(kdc_context, state->request->client, state->c_flags, &state->client); + if (errcode == KRB5_KDB_CANTLOCK_DB) + errcode = KRB5KDC_ERR_SVC_UNAVAILABLE; if (errcode == KRB5_KDB_NOENTRY) { state->status = "CLIENT_NOT_FOUND"; if (vague_errors) @@ -570,6 +572,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } errcode = krb5_db_get_principal(kdc_context, state->request->server, s_flags, &state->server); + if (errcode == KRB5_KDB_CANTLOCK_DB) + errcode = KRB5KDC_ERR_SVC_UNAVAILABLE; if (errcode == KRB5_KDB_NOENTRY) { state->status = "SERVER_NOT_FOUND"; errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 56d9869c16..e9cb4212a7 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -215,6 +215,8 @@ ref_tgt_again: errcode = krb5_db_get_principal(kdc_context, request->server, s_flags, &server); + if (errcode == KRB5_KDB_CANTLOCK_DB) + errcode = KRB5KDC_ERR_SVC_UNAVAILABLE; if (errcode && errcode != KRB5_KDB_NOENTRY) { status = "LOOKING_UP_SERVER"; goto cleanup; @@ -1078,6 +1080,8 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry **server_ptr) krb5_princ_set_realm(kdc_context, *pl2, krb5_princ_realm(kdc_context, tgs_server)); retval = krb5_db_get_principal(kdc_context, *pl2, 0, &server); + if (retval == KRB5_KDB_CANTLOCK_DB) + retval = KRB5KDC_ERR_SVC_UNAVAILABLE; krb5_princ_set_realm(kdc_context, *pl2, &tmp); if (retval == KRB5_KDB_NOENTRY) continue; |