Received: from jalapeno.cc.columbia.edu (IDENT:cu41754@jalapeno.cc.columbia.edu [128.59.29.5]) by krbdev.mit.edu (8.9.3p2) with ESMTP id JAA13919; Thu, 18 Jan 2007 09:39:06 -0500 (EST) Received: from [192.168.1.13] (cpe-68-175-93-48.nyc.res.rr.com [68.175.93.48]) (user=jaltman mech=PLAIN bits=0) by jalapeno.cc.columbia.edu (8.13.7/8.13.6) with ESMTP id l0IEd5JT011566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 18 Jan 2007 09:39:06 -0500 (EST) Message-Id: <45AF8706.7000603@mit.edu> Date: Thu, 18 Jan 2007 09:41:10 -0500 From: Jeffrey Altman User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5393] krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-No-Spam-Score: Local X-Scanned-BY: MIMEDefang 2.48 on 128.59.29.5 RT-Send-Cc: X-RT-Original-Encoding: iso-8859-1 Content-Length: 1240 Public Submitter via RT wrote: > Btw: If this call with static SOCK_STREAM is correct, why is call > three lines above > > code = krb5int_locate_server (context, realm, addrlist, > locate_service_kpasswd, sockType, 0); > > with sockType correct? This is correct because kpasswd is a service that exists for both UDP and TCP. kadmind is only TCP. Therefore, when the search occurs, you want to check krb5.conf first and if there is no matching entry perform a DNS SRV record search for the service type that you are looking for. For kpasswd you want to search for _kpasswd._udp.REALM or _kpasswd._tcp.REALM depending on the type of connection the caller wants to make. There search for kadmin is there as a backup in case the kpasswd entries were not created. There will only ever be a _kadmin._tcp.REALM record so we must always search for SOCK_STREAM. That is why fixing up the ai records after the lookup is the correct fix. Since you have verified that ai_socktype is being set to the requested value, I do not understand how src/krb5/lib/krb5/os/sendto_kdc.c setup_connection() and start_connection() can be creating the wrong type of connection. Perhaps you can debug that further.