On 09/26/2014 03:28 PM, Prakash Narayanaswamy wrote: > We're using MIT Kerberos v5-1.10.3 . Occasionally we're seeing > authentication failures. The gss_display_status call on the minor status > code returned by the gss_accept_sec_context (major status == > GSS_S_FAILURE) gives the following error message: /Cannot create replay > cache file /var/tmp/host_1000: File exists. /
Our replay cache implementation is not correct in the face of multiple processes or threads concurrently accessing the same replay cache. Most of the issues do not interfere with server operation (that is, they would only result in replays possibly not being noticed), but there is one specific race which can result in this spurious failure. We have recently pushed a workaround for this which will go into 1.13: https://github.com/krb5/krb5/commit/99e08376c14240e2141c6fa9289fafab8245c754 We have longer-term plans to improve the replay cache implementation, hopefully for 1.14: http://k5wiki.kerberos.org/wiki/Projects/Replay_cache_improvements ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
