[jaltman - Thu Jan 18 06:47:52 2007]: > The SOCK_STREAM parameter to krb5int_locate_server does not > determine what type of connection is used to connect the kpasswd > service. The SOCK_STREAM parameter is specified so that the lookup > of the DNS SRV record for the kadmin service will be performed > using '_tcp' as the kadmin service is a TCP only service. > > Changing SOCK_STREAM to 'sockType' will cause the DNS SRV query to > use '_udp' which should always fail. > > This parameter is not used when searching the krb5.conf file. Well, it is used. Here is the line how it is called: changepw.c:krb5_locate_kpasswd => locate_kdc.c:krb5int_locate_server(..., socktype stream, ...) => locate_kdc.c:prof_locate_server(..., socktype stream, ...) => locate_kdc.c:krb5_locate_srv_conf_1(..., socktype stream, ...) => locate_kdc.c:[krb5int_]add_host_to_list(..., socktype stream, ...) { hint.ai_socktype = socktype; } I can say: When I specify only kdc and admin_server in krb5.conf (no DNS) this code tries to open a tcp connection to kpasswd service port 464. But kadmind does not open such a port. It has only a udp port open.