[Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
Andreas Hasenack
andreas at canonical.com
Fri May 5 18:11:04 UTC 2017
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
- getaddrinfo() called on a wildcard address might return the IPv6 "::1"
- address. On machines without IPv6 support, binding to it will likely
- fail and the kdc/kadmin services won't start.
+
+ [Impact]
+ getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start.
+
+ The provided patch is applied upstream and in Debian testing.
+
+
+ [Test Case]
Steps to reproduce the problem on zesty:
a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
- 4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
- 4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
+ 4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
+ 4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
- Password for ubuntu at EXAMPLE.ORG:
+ Password for ubuntu at EXAMPLE.ORG:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu at EXAMPLE.ORG
Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
- renew until 05/05/2017 14:20:13
+ renew until 05/05/2017 14:20:13
e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
- tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
- tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
- tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
- udp6 0 0 :::88 :::* 1078/krb5kdc
- udp6 0 0 :::464 :::* 1065/kadmind
- udp6 0 0 :::750 :::* 1078/krb5kdc
+ tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
+ tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
+ tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
+ udp6 0 0 :::88 :::* 1078/krb5kdc
+ udp6 0 0 :::464 :::* 1065/kadmind
+ udp6 0 0 :::750 :::* 1078/krb5kdc
f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot
f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$
g) /var/log/auth.log will contain the reason:
- $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
+ $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750)
+
+
+ With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions.
+
+
+ [Regression Potential]
+ We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket.
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
-
[Impact]
getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start.
The provided patch is applied upstream and in Debian testing.
-
[Test Case]
Steps to reproduce the problem on zesty:
a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for ubuntu at EXAMPLE.ORG:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu at EXAMPLE.ORG
Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
renew until 05/05/2017 14:20:13
e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
udp6 0 0 :::88 :::* 1078/krb5kdc
udp6 0 0 :::464 :::* 1065/kadmind
udp6 0 0 :::750 :::* 1078/krb5kdc
f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot
f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$
g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750)
-
- With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions.
-
+ With the updated packages, krb5-kdc and krb5-admin-server will startup
+ just fine in the same conditions.
[Regression Potential]
We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket.
+
+ That being said, I believe single stack systems (only IPv4, or only
+ IPv6) take an extra configuration effort and most systems are dual
+ stack. Zesty certainly is, out of the box.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310
Title:
KDC/kadmind may fail to start on IPv4-only systems
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions
More information about the Ubuntu-server-bugs
mailing list