[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
Andreas Hasenack
andreas at canonical.com
Mon May 15 13:05:44 UTC 2017
I updated the test case with step (b.1) which I had forgotten. Here it
goes:
Reproducing the error case with 1.15-1, we can see that UDP is tried first, is ignored, and then TCP is used one second later:
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1
Candidate: 1.15-1
Version table:
*** 1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
100 /var/lib/dpkg/status
$ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[2848] 1494852873.104617: Getting initial credentials for ubuntu at EXAMPLE.ORG
[2848] 1494852873.105449: Looked up etypes in keytab: aes256-cts, aes128-cts
[2848] 1494852873.105633: Sending request (172 bytes) to EXAMPLE.ORG
[2848] 1494852873.105684: Resolving hostname 10.0.100.249
[2848] 1494852873.105840: Sending initial UDP request to dgram 10.0.100.249:88
[2848] 1494852874.108235: Initiating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.108528: Sending TCP request to stream 10.0.100.249:88
[2848] 1494852874.110518: Received answer (254 bytes) from stream 10.0.100.249:88
[2848] 1494852874.110549: Terminating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.285214: Response was not from master KDC
[2848] 1494852874.285346: Received error from KDC: -1765328359/Additional pre-authentication required
...
After installing the update, UDP is again tried first but this time kinit receives an immediate answer and the exchange remains on UDP:
$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1ubuntu0.1
Candidate: 1.15-1ubuntu0.1
Version table:
*** 1.15-1ubuntu0.1 500
500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages
100 /var/lib/dpkg/status
1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
$ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[10150] 1494853325.393939: Getting initial credentials for ubuntu at EXAMPLE.ORG
[10150] 1494853325.395247: Looked up etypes in keytab: aes256-cts, aes128-cts
[10150] 1494853325.395665: Sending request (172 bytes) to EXAMPLE.ORG
[10150] 1494853325.395851: Resolving hostname 10.0.100.249
[10150] 1494853325.396225: Sending initial UDP request to dgram 10.0.100.249:88
[10150] 1494853325.398161: Received answer (254 bytes) from dgram 10.0.100.249:88
[10150] 1494853325.648728: Response was not from master KDC
[10150] 1494853325.648835: Received error from KDC: -1765328359/Additional pre-authentication required
** Tags added: verification-done-zesty
** Tags removed: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688121
Title:
KDC/kadmind explicit wildcard listener addresses do not use pktinfo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions
More information about the Ubuntu-server-bugs
mailing list