This problem is broader than slave KDCs; it can potentially affect any write operation on a KDC with sufficiently many (more than a few hundred) principals, causing database corruption or denial of service. Altering the test case to create one principal per invocation of kadmin.local shows that the spin condition depends on database contents rather than process memory history.
It also manifests during krb5_db_get_principal(), not just krb5_db_put_principal(), as shown in the below stack trace. Note the krb5_db_get_principal() call in the stack trace is the one that is meant to verify the master key.
Altered test case showing the spin condition on a fresh kadmin.local invocation:
kdb5_util -W -r T create -s
awk 'BEGIN { for (i = 0; i < 1024; i++) { printf("%06d\n", i) } }' /dev/null | (set -e; while read p; do kadmin.local -r T -q "ank -randkey $p"; done)
I still recommend preferring the test case I gave in comment #1 because it executes more quickly.
kadmin.local stack trace:
(gdb) bt
#0 0x00007f3fa70dbcbc in ?? ()
from /usr/lib/x86_64-linux-gnu/krb5/plugins/kdb/db2.so
#1 0x00007f3fa70d90bc in ?? ()
from /usr/lib/x86_64-linux-gnu/krb5/plugins/kdb/db2.so
#2 0x00007f3fa70d7bc9 in ?? ()
from /usr/lib/x86_64-linux-gnu/krb5/plugins/kdb/db2.so
#3 0x00007f3fa70d0ab6 in ?? ()
from /usr/lib/x86_64-linux-gnu/krb5/plugins/kdb/db2.so
#4 0x00007f3fa70d1bf4 in ?? ()
from /usr/lib/x86_64-linux-gnu/krb5/plugins/kdb/db2.so
#5 0x00007f3fa79d0047 in krb5_db_get_principal ()
from /usr/lib/x86_64-linux-gnu/libkdb5.so.7
#6 0x00007f3fa79d365b in ?? () from /usr/lib/x86_64-linux-gnu/libkdb5.so.7
#7 0x00007f3fa79d02c0 in krb5_db_fetch_mkey_list ()
from /usr/lib/x86_64-linux-gnu/libkdb5.so.7
#8 0x00007f3fa9140f78 in kdb_init_master ()
from /usr/lib/x86_64-linux-gnu/libkadm5srv_mit.so.9
#9 0x00007f3fa9141e90 in kadm5_init ()
from /usr/lib/x86_64-linux-gnu/libkadm5srv_mit.so.9
#10 0x0000000000404659 in ?? ()
#11 0x0000000000402bbc in ?? ()
#12 0x00007f3fa8263ec5 in __libc_start_main (main=0x402b70, argc=5,
argv=0x7fff76716738, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fff76716728) at libc-start.c:287
#13 0x0000000000402c96 in ?? ()
This problem is broader than slave KDCs; it can potentially affect any write operation on a KDC with sufficiently many (more than a few hundred) principals, causing database corruption or denial of service. Altering the test case to create one principal per invocation of kadmin.local shows that the spin condition depends on database contents rather than process memory history.
It also manifests during krb5_db_ get_principal( ), not just krb5_db_ put_principal( ), as shown in the below stack trace. Note the krb5_db_ get_principal( ) call in the stack trace is the one that is meant to verify the master key.
Altered test case showing the spin condition on a fresh kadmin.local invocation:
kdb5_util -W -r T create -s
awk 'BEGIN { for (i = 0; i < 1024; i++) { printf("%06d\n", i) } }' /dev/null | (set -e; while read p; do kadmin.local -r T -q "ank -randkey $p"; done)
I still recommend preferring the test case I gave in comment #1 because it executes more quickly.
kadmin.local stack trace:
(gdb) bt x86_64- linux-gnu/ krb5/plugins/ kdb/db2. so x86_64- linux-gnu/ krb5/plugins/ kdb/db2. so x86_64- linux-gnu/ krb5/plugins/ kdb/db2. so x86_64- linux-gnu/ krb5/plugins/ kdb/db2. so x86_64- linux-gnu/ krb5/plugins/ kdb/db2. so get_principal () x86_64- linux-gnu/ libkdb5. so.7 x86_64- linux-gnu/ libkdb5. so.7 fetch_mkey_ list () x86_64- linux-gnu/ libkdb5. so.7 x86_64- linux-gnu/ libkadm5srv_ mit.so. 9 x86_64- linux-gnu/ libkadm5srv_ mit.so. 9 0x7fff76716738, init=<optimized out>, fini=<optimized out>, fini=<optimized out>, stack_end= 0x7fff76716728) at libc-start.c:287
#0 0x00007f3fa70dbcbc in ?? ()
from /usr/lib/
#1 0x00007f3fa70d90bc in ?? ()
from /usr/lib/
#2 0x00007f3fa70d7bc9 in ?? ()
from /usr/lib/
#3 0x00007f3fa70d0ab6 in ?? ()
from /usr/lib/
#4 0x00007f3fa70d1bf4 in ?? ()
from /usr/lib/
#5 0x00007f3fa79d0047 in krb5_db_
from /usr/lib/
#6 0x00007f3fa79d365b in ?? () from /usr/lib/
#7 0x00007f3fa79d02c0 in krb5_db_
from /usr/lib/
#8 0x00007f3fa9140f78 in kdb_init_master ()
from /usr/lib/
#9 0x00007f3fa9141e90 in kadm5_init ()
from /usr/lib/
#10 0x0000000000404659 in ?? ()
#11 0x0000000000402bbc in ?? ()
#12 0x00007f3fa8263ec5 in __libc_start_main (main=0x402b70, argc=5,
argv=
rtld_
#13 0x0000000000402c96 in ?? ()