The kerberos libraries included in RHEL-4 are not thread-safe. This presents problems for multi-threaded server software that accepts kerberos authentication. Newer Kerberos versions (1.5 and later) are supposed to be thread-safe. Is it possible to backport any of these changes to make the libraries thread-safe on RHEL-4? I have seen this done on other operating systems where pre-1.5 versions of kerberos were made thread-safe.
Thread-safety should have been sorted in the 1.4 release, but RHEL 4 included version 1.3.4. A workaround I've seen used is to put a mutex around the gss_accept_security_context() function calls. I can't say what kind of (if any) performance hit this might create. I'm not sure that backporting the proper fixes (threading mutexes through libkrb5 and the gssapi libraries, at least) is really feasible at this point.
Since I'm coding my multi-threaded application against the SASL api, I don't have an option to add a mutex around gss_accept_security_context(). This would need to be done in the SASL GSSAPI plugin. Since the Kerberos libraries are not, and will not, be thread-safe on RHEL-4, is it possible to add a mutex around gss_accept_security_context() in the GSSAPI SASL plugin that we include as a part of the cyrus-sasl-gssapi package? The mutex would only be used if the application that was coded against SASL passes in it's own mutex function callbacks by calling sasl_set_mutex(), otherwise it would have no effect.
Yes, I think that's doable. It looks like that was done in 2.1.20, while RHEL 4 has 2.1.19 and RHEL 5 has 2.1.22. The patch looks pretty well-isolated. Moving to cyrus-sasl and proposing for 4.6 as an exception.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0795.html