[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

Adam Conrad adconrad at 0c3.net
Thu May 11 21:20:07 UTC 2017 

Hello Jochen, or anyone else affected,

Accepted krb5 into zesty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/krb5/1.15-1ubuntu0.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: krb5 (Ubuntu Zesty)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1683237

Title:
  krb5-user: kinit fails for OTP user when using kdc discovery via DNS

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  Fix Committed
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in krb5 1.15-2 in artful

  Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554
  Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
  Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch

  [Impact]

  kinit does not respect udp_preference_limit and always uses TCP to
  talk to the KDC when using the DNS SRV records to locate the service
  and these records show both udp and tcp entries.

  One particular scenario that fails is when OTP (one time password) is
  used, as reported.

  The provided patch is applied upstream and debian testing.

  
  [Test Case]

  Steps to reproduce on zesty, with all services on one machine for
  simplicity (I suggest to use LXD):

  a) install the packages from zesty (not the proposed ones yet):
  $ sudo apt install krb5-kdc krb5-admin-server bind9

  When prompted for the realm, choose EXAMPLE.COM
  When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1)
  The KDC will fail to start because there is no realm yet, that's not relevant for this bug.

  b) Edit /etc/krb5.conf and make the following changes:
  - remove the "default_realm" line from the [libdefaults] section
  - remove the EXAMPLE.COM realm block from the [realms] section
  - add "dns_lookup_realm = true" to the [libdefaults] section
  - add "dns_lookup_kdc = true" to the [libdefaults] section
  - add "udp_preference_limit = 1" to the [libdefaults] section

  c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone):
  zone "example.com" {
      type master;
      file "/etc/bind/db.example.com";
  };

  d) Create /etc/bind/db.example.com with this content:
  $TTL    604800
  @   IN  SOA example.com. ubuntu.example.com. (
                    1     ; Serial
               604800     ; Refresh
                86400     ; Retry
              2419200     ; Expire
               604800 )   ; Negative Cache TTL
  ;
  @                       IN  NS  zesty-bug1683237.example.com.
  zesty-bug1683237        IN  A   10.0.100.249
  _kerberos               TXT     "EXAMPLE.COM"
  _kerberos._udp          SRV     0 0 88 zesty-bug1683237
  _kerberos._tcp          SRV     0 0 88 zesty-bug1683237
  _kerberos-master._udp   SRV     0 0 88 zesty-bug1683237
  _kerberos-master._tcp   SRV     0 0 88 zesty-bug1683237
  _kerberos-adm._tcp      SRV     0 0 749 zesty-bug1683237
  _kpasswd._udp           SRV     0 0 464 zesty-bug1683237

  Use the real IP of your test machine/container where I used
  "10.0.100.249". You can also choose another hostname if you want, just
  be consistent across the board. I chose "zesty-bug1683237".

  e) Restart bind
  $ sudo service bind9 restart

  f) Do a few quick DNS tests:
  $ dig +short @10.0.100.249 zesty-bug1683237.example.com
  10.0.100.249
  $ dig +short @10.0.100.249 -t TXT _kerberos.example.com
  "EXAMPLE.COM"
  $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com
  0 0 88 zesty-bug1683237.example.com.
  $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com
  0 0 88 zesty-bug1683237.example.com.

  g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces:
  nameserver 10.0.100.249 # USE YOUR IP HERE
  search example.com

  h) Create the EXAMPLE.COM kerberos realm:
  $ sudo krb5_newrealm
  When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps.

  i) Start the kerberos services:
  $ sudo service krb5-kdc start
  sudo service krb5-admin-server start

  j) Create a principal and test it:
  $ sudo kadmin.local addprinc -pw ubuntu ubuntu
  $ kinit ubuntu
  Password for ubuntu at EXAMPLE.COM:
  $ klist
  (...)
  05/05/2017 13:10:01  05/05/2017 23:10:01  krbtgt/EXAMPLE.COM at EXAMPLE.COM
  (...)

  Now we are ready to test the bug.

  Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit
  should use TCP instead of UDP. Let's check:

  $ KRB5_TRACE=/dev/stderr kinit
  [7609] 1493989890.568980: Getting initial credentials for ubuntu at EXAMPLE.COM
  [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM
  [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com.
  [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88
  (...)

  Uh oh, it's using UDP!

  With the fixed packages, kinit will use TCP, thus honoring the udp_preference_limit setting:
  $ KRB5_TRACE=/dev/stderr kinit
  [14287] 1493990160.760430: Getting initial credentials for ubuntu at EXAMPLE.COM
  [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM
  [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com.
  [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com.
  [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88
  [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88
  (...)

  And if udp_preference_limit is removed from /etc/krb5.conf, the
  updated packages start with UDP again.

  
  [Regression Potential]
  Sites who were inadvertently relying on this bug (by having udp_preference_limit set to a low value but being ignored) will see their clients suddenly switch (correctly) from UDP to TCP when talking to the KDC and could require firewall changes to allow that exchange.

  
  == Original description ==

  Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
  and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554

  Would it be possible to get 1.15.1 (already released upstream) in
  zesty/zesty-updates?

  Thanks
  Jochen

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions

More information about the Ubuntu-sponsors mailing list