Description of problem: Using the sasl2-sample-client and sasl2-sample-server with GSSAPI results in very occasional authentication failures for no apparent reason. Running the client in a loop will fail after some time, but after failure an immediate retry succeeds (and so the ticket is clearly still valid). Version-Release number of selected component (if applicable): cyrus-sasl-gssapi-2.1.22-5.el5 krb5-libs-1.6.1-36.el5 krb5-server-1.6.1-36.el5 How reproducible: Occasionally Steps to Reproduce: 1. start sasl2-sample-server with GSSAPI 2. run sasl2-sampl-client with GSSAPI in a loop (pipe in appropriate auth id) Actual results: Get occasional unexplained authentication failures (after which successful authentication is immediately observed without any further kinit). Expected results: Should not fail authentication unless ticket expires. Additional info: The issue was originally noticed with qpid (M component of MRG), where occasionally GSSAPI authentication failed without any reason (it passed successfully immediately before and after the failure case, so ticket was valid) - see bug 598948. This was worked around by not explicitly supplying the authorisation id and allowing that to be inferred.
Any thoughts or progress on this yet?
I'm not able to reproduce this issue. My script's running almost 12 hour in loop without any failure. Are you able to reproduce it? Can you provide sasl2-sample-server and klist output when authentication failures? Is it possible that something refreshes ticket after fail?
I certainly was able to reproduce it quite easily (though it could take some time for the error to appear). At present I don't have an equivalent test environment set up so it will take some time to have another try. I don't believe anything could have refreshed the ticket (I did look at klist output at the time and saw nothing unexpected there).
*** Bug 598948 has been marked as a duplicate of this bug. ***
I am sorry, but it is now too late in the RHEL-5 release cycle. RHEL-5.10 (the next RHEL-5 minor release) is going to be the first production phase 2 [1] release of RHEL-5. Since phase 2 we'll be addressing only security and critical issues. [1] https://access.redhat.com/support/policy/updates/errata/