Using the environment variable KRB5CCNAME leads to multiple Kerberos authentications failing when used in a multi-threaded environment.

cyrusimap / cyrus-sasl

Other

134 stars 151 forks source link

Using the environment variable KRB5CCNAME leads to multiple Kerberos authentications failing when used in a multi-threaded environment. #833

Closed guohai-Zhang closed 6 months ago

guohai-Zhang commented 6 months ago

I have two sets of Kerberos HDFS clusters, k1 and k2.
One thread writes through k1, and another writes through k2.
use gssapi

Result: Occasionally, failures occur because one thread may incorrectly obtain the KRB5CCNAME.

@elmarco @stef @brong @nacho @rjbs Please provide a solution, thank you

michael-o commented 6 months ago

That is not a bug in Cyrus SASL. This is a functional limitation in MIT Kerberos to properly sync multithreaded access to the FILE store. I have reported this already three years ago: https://marc.info/?l=kerberos&m=161772471327733&w=2.

quanah commented 6 months ago

@michael-o thank you!

Closing this issue, not related to cyrus-sasl

michael-o commented 6 months ago

There might be already a solution in MIT Kerberos in place which I haven't noticed and didn't evaluate since then. I need to give it a try next week.