Multithreaded krb5

Arran Cudbard-Bell a.cudbardb at
Fri Jan 11 13:25:23 CET 2013

A while back there was some discussion about the current krb5 module in FreeRADIUS being single threaded, and that it may no longer be necessary for it to be single threaded.

It transpires that both MIT and Heimdal libraries are now thread safe, MIT since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 (documentation is fuzzy).

I can't test beyond compiling the code against the kerberos library, and maybe setting up a test KDC/TGS. But for this to be put into the stable branch it really needs to be tested under load, against a range of keberos implementations.

Were looking for volunteers, preferably a mix of deployments using either MIT or Heimdal. The new module should just drop in for any v2.1.x deployment once compiled, as it doesn't use any new core API functions.

Change list:
	* Both - Check that krb5 library was compiled with threading support on startup.
	* Both - Clone context on each request to ensure thread safety.
	* Both - Move service principal parsing so it's done at intialisation only  (instead of on every request).
	* Both - Improved return codes, will now reflect revoked access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well as bad password (REJECT), and other errors (FAIL). Before the module returned REJECT for almost everything.
	* Both - Mark module as thread safe, config check safe (will be validated on -C), and hup safe (config will be reloaded on SIGHUP)
	* Both - Switch more messages to use RDEBUG so they'll be printed in conditional debug (useful for production servers with radmin enabled).
	* MIT - Move service principal string to service principal conversion so that it's done at initialisation only  (instead of on every request).
	* MIT - Move options configuration so they're done at initialisation only  (instead of on every request).
	* MIT - Switch to using krb5_get_init_creds_password and krb5_verify_init_creds to validate TGT instead of old twisty logic.
	* MIT - Cache option removed as krb5_verify_init_creds disables the replay cache on its own.

For those wanting to test:
git clone git at
cd freeradius-server
git checkout threaded_krb5

Report issues on:, and send feedback to either the list or me directly.


More information about the Freeradius-Users mailing list