Skip Menu |
 

Download (untitled) / with headers
text/plain 7.6KiB
From benson@bldell.bltest.cc Sun Apr 21 21:51:02 2002
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id VAA22520
for <bugs@RT-11.mit.edu>; Sun, 21 Apr 2002 21:51:01 -0400 (EDT)
Received: from bldell.bltest.cc (dsl092-086-013.bos1.dsl.speakeasy.net [66.92.86.13])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id VAA13298
for <krb5-bugs@mit.edu>; Sun, 21 Apr 2002 21:50:59 -0400 (EDT)
Received: (from benson@localhost)
by bldell.bltest.cc (8.11.6/8.11.6) id g3M1oua06678;
Sun, 21 Apr 2002 21:50:56 -0400
Message-Id: <200204220150.g3M1oua06678@bldell.bltest.cc>
Date: Sun, 21 Apr 2002 21:50:56 -0400
From: bmargulies@yahoo.com
Reply-To: bmargulies@yahoo.com
To: krb5-bugs@mit.edu
Subject: request for multi-homed control feature
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1093
>Category: krb5-kdc
>Synopsis: KDC could use feature to limit listening interfaces
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: raeburn
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Sun Apr 21 21:52:00 EDT 2002
>Last-Modified: Tue Apr 23 20:42:01 EDT 2002
>Originator: benson
>Organization:
Myself.
Show quoted text
>Release: krb5-1.2.4
>Environment:
Linux RedHat 7.2.
System: Linux bldell.bltest.cc 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
Architecture: i686

Show quoted text
>Description:

The KDC listens on all available local interfaces.

1) It would be handy to be able to limit the addresses that the KDC
listens on.

2) Microsoft KB entry Q266095 documents a problem with the w2k
kerberos client. If the KDC has two physical interfaces, somehow the
IP address of one interface can end up in the KRB_AS_REP going out
over the other replying. This causes Windows 2000 to fail to log in.

Show quoted text
>How-To-Repeat:

Set up a KDC with two interfaces, and watch the packets
(KRB_AS_REQ/KRB_AS_REP) in flight.

Show quoted text
>Fix:

There are two possible approaches here. First, if the kdc.conf had an
'interfaces' configuration stanza, then instead of foreach_localhost
the kdc could limit itself to the specified interfaces.

Even without that, however, it would be a good thing if the KDC kept
the addresses straight. Just because the KDC is on two networks does
not mean that the clients on each can route to the other.

Show quoted text
>Audit-Trail:

From: Sam Hartman <hartmans@MIT.EDU>
To: bmargulies@yahoo.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/1093: request for multi-homed control feature
Date: Mon, 22 Apr 2002 16:35:59 -0400

We're not aware of situations where the wrong IP address gets sent in
the outgoing packet from the KDC. Can you give more details on a
specific configuration that reproduces this problem? Also, if
interfaces are added to the machine, you probably want to restart the
KDC to avoid potential problems.


From: Benson Margulies <bmargulies@yahoo.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: krb5-bugs@mit.edu
Subject: Re: krb5-kdc/1093: request for multi-homed control feature
Date: Mon, 22 Apr 2002 17:52:28 -0700 (PDT)

Here's what I know.

In my test environment, I originally had a single-interface machine
running a KDC and a Windows 2000 pro machine successfully logging in user
with it.

Then, I completely replaced the system running the KDC and recreated the
realm from scratch. The new machine has two ethernet cards with two
addresses.

I haven't been able to get the Windows box to log in a user in the new
environment.

Completely frustrated, I went trolling in the Microsoft KB, and came up
with the entry I sent you, in which MS claims that confusion results from
a multi-homed KDC. My configuration is dumb-as-a-stick. The error I get on
the Windows box, which is admittedly pretty generic, matches the MS report
exactly.


Show quoted text
__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

From: Benson Margulies <bmargulies@yahoo.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: krb5-bugs@mit.edu
Subject: Re: krb5-kdc/1093: request for multi-homed control feature
Date: Mon, 22 Apr 2002 18:58:08 -0700 (PDT)

I just went and set up a KDC slave on a single-interface box, and now W2K
is happy. So, SOMETHING is definitely going amiss in the multi-interface
case.


__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

Responsible-Changed-From-To: krb5-unassigned->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Apr 23 15:54:03 2002
Responsible-Changed-Why:

I'll take it, part of the multi-homed support is my code.


From: Ken Raeburn <raeburn@MIT.EDU>
To: bmargulies@yahoo.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/1093: KDC could use feature to limit listening interfaces
Date: Tue, 23 Apr 2002 17:25:45 -0400

I've had another request for limiting the set of addresses used, and
am planning to implement that in the future. Regardless, the
multi-homed KDC support should be fixed if it's not working.

>How-To-Repeat:

Set up a KDC with two interfaces, and watch the packets
(KRB_AS_REQ/KRB_AS_REP) in flight.

You didn't say what you're seeing. Packets with the wrong addresses,
or packets not on the interface you expect?

The KDC code should be sending back responses using the same file
descriptor that it got the request on. So the local address for
sending the response should be the same as the request was sent to.
If that's not happening (the problem described in the MS Knowledge
Base), I'd like some tcpdump, strace and lsof output from you
indicating what file descriptors are being used, what socket addresses
they're bound to, etc.

On some (most? all?) systems with multiple interfaces, the local
routing info may cause the packet to go out an interface that has a
different address assigned. If that's not the right address to use to
reach the destination from the KDC address that was chosen by the
client, I'd argue that that's a system configuration bug.

I don't have a Linux system with multiple physical interfaces on
different networks at the moment, but I may be able to try some tests
using tunnels.

Ken

From: Benson Margulies <bmargulies@yahoo.com>
To: Ken Raeburn <raeburn@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/1093: KDC could use feature to limit listening interfaces
Date: Tue, 23 Apr 2002 17:41:49 -0700 (PDT)

I'm not sure that I'm a representative of a multi-homing problem.

It turns out that Microsoft played a prank on me that led me to believe
that using a single-homed KDC made everything all better. In fact, what
was really happening was the Windows was logging in a user using cached
credentials, while failing to talk to the KDC. When I fixed the
communications problem, the login went back to failing. The KDC issues the
ticket, but Windows fails the login anyway. It doesn't log or audit any
clue to what the problem is.

So, perhaps there's a multi-homing problem. MS certainly seems/seemed to
think so. However, there's some other more basic issue in which following
MS's instructions for setting up a W2K standalone workstation to use an
MIT KDC for authentication don't work. Setting up trust relationships
between an MIT KDC and a Windows AD does work.

In general, the MS Kerberos interface has proved, in my experience, to be
a classic example of providing just enough doc to make it look like it
would be possible to use the thing, but not quite enough to be able to
reliably make it work.


__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/
>Unformatted:
Download (untitled) / with headers
text/plain 3.1KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Jun 15 17:55:35 2010
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id F32463DC73;
Tue, 15 Jun 2010 17:55:34 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o5FLtYGE006082;
Tue, 15 Jun 2010 17:55:34 -0400
Received: from mailhub-dmz-1.mit.edu (MAILHUB-DMZ-1.MIT.EDU [18.9.21.41])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o5FKa2iR027791
for <krb5-bugs-incoming@PCH.mit.edu>; Tue, 15 Jun 2010 16:36:02 -0400
Received: from dmz-mailsec-scanner-4.mit.edu (DMZ-MAILSEC-SCANNER-4.MIT.EDU
[18.9.25.15])
by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id o5FKZ5YV032744
for <krb5-bugs@mit.edu>; Tue, 15 Jun 2010 16:36:01 -0400
X-AuditID: 1209190f-b7b20ae000003f85-ac-4c17e430564b
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-4.mit.edu (Symantec Brightmail Gateway) with
SMTP id 86.3F.16261.134E71C4; Tue, 15 Jun 2010 16:36:01 -0400 (EDT)
Received: from int-mx04.intmail.prod.int.phx2.redhat.com
(int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.17])
by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o5FKa0Rl019854
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Tue, 15 Jun 2010 16:36:00 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id o5FKZxHo032224
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Tue, 15 Jun 2010 16:35:59 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [127.0.0.1])
by blade.bos.redhat.com (8.14.4/8.14.3) with ESMTP id o5FKZwtj008355
for <krb5-bugs@mit.edu>; Tue, 15 Jun 2010 16:35:58 -0400
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.4/8.14.4/Submit) id o5FKZwmP008353;
Tue, 15 Jun 2010 16:35:58 -0400
Date: Tue, 15 Jun 2010 16:35:58 -0400
Message-Id: <201006152035.o5FKZwmP008353@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: would like to be able to specify listening address for krb5kdc and
kadmind
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.17
X-Brightmail-Tracker: AAAAAgDGA3EUojIB
X-Mailman-Approved-At: Tue, 15 Jun 2010 17:55:33 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: would like to be able to specify listening address for krb5kdc and kadmind
>Severity: non-critical
>Priority: medium
>Category: krb5-kdc
>Class: change-request
>Release: 1.8.2
>Environment:

System: Linux blade.bos.redhat.com 2.6.34-20.fc14.x86_64 #1 SMP Wed Jun 2 12:36:51 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
>Description:
We'd like to be able to specify specific addresses for the KDC
and the kadmind server to bind to, preferably in kdc.conf, so
that they'll only answer queries from clients connecting to them
over specific interfaces.
We have someone interested in solving this issue. Do you think it would
be sufficient to add an inetd option to krb5kdc?

Because we serve over UDP and TCP, and because correctly implementing a
UDP server in the Unix socket interface is more difficult than it should
be, our server network loop is very complicated. Deferring this issue to
inetd would have a small UI footprint and would add a small amount of
additional complexity. Adding specific address configuration would have a
larger UI footprint and a larger increase in complexity, I expect. But
it's something we could still consider.
Date: Thu, 24 May 2012 13:17:21 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
RT-Send-Cc:
On Thu, May 24, 2012 at 12:04:30PM -0400, Greg Hudson via RT wrote:
Show quoted text
> We have someone interested in solving this issue. Do you think it would
> be sufficient to add an inetd option to krb5kdc?
>
> Because we serve over UDP and TCP, and because correctly implementing a
> UDP server in the Unix socket interface is more difficult than it should
> be, our server network loop is very complicated. Deferring this issue to
> inetd would have a small UI footprint and would add a small amount of
> additional complexity. Adding specific address configuration would have a
> larger UI footprint and a larger increase in complexity, I expect. But
> it's something we could still consider.

It sounds like it could. Would such a setup end up firing up a
different KDC (or kadmind) process for each listening address that
received traffic?

Nalin
That would depend on the capabilities of the inetd daemon, but I suspect
that for common inetd implementations it would.
Date: Thu, 24 May 2012 15:15:27 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
RT-Send-Cc:
So long as it wasn't assumed that we started a new process for each
listening socket, I think it'd be close enough.
Date: Fri, 25 May 2012 02:10:43 -0500
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
From: Nico Williams <nico103@gmail.com>
To: "rt-comment@krbdev.mit.edu" <rt-comment@krbdev.mit.edu>, "rt@krbdev.mit.edu" <rt@krbdev.mit.edu>
RT-Send-Cc:


On Thursday, May 24, 2012, nalin@redhat.com via RT wrote:
Show quoted text
On Thu, May 24, 2012 at 12:04:30PM -0400, Greg Hudson via RT wrote:
> We have someone interested in solving this issue.  Do you think it would
> be sufficient to add an inetd option to krb5kdc?
>
> Because we serve over UDP and TCP, and because correctly implementing a
> UDP server in the Unix socket interface is more difficult than it should
> be, our server network loop is very complicated.  Deferring this issue to
> inetd would have a small UI footprint and would add a small amount of
> additional complexity.  Adding specific address configuration would have a
> larger UI footprint and a larger increase in complexity, I expect.  But
> it's something we could still consider.

It sounds like it could.  Would such a setup end up firing up a
different KDC (or kadmind) process for each listening address that
received traffic?

Yes.  That's how intend works.  Note the each krb5kdc instance could still run a number of worker process larger than one.

Nico
--  
Date: Fri, 25 May 2012 02:10:43 -0500
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
From: Nico Williams <nico103@gmail.com>
To: "rt-comment@krbdev.mit.edu" <rt-comment@krbdev.mit.edu>, "rt@krbdev.mit.edu" <rt@krbdev.mit.edu>
RT-Send-Cc:


On Thursday, May 24, 2012, nalin@redhat.com via RT wrote:
Show quoted text
On Thu, May 24, 2012 at 12:04:30PM -0400, Greg Hudson via RT wrote:
> We have someone interested in solving this issue.  Do you think it would
> be sufficient to add an inetd option to krb5kdc?
>
> Because we serve over UDP and TCP, and because correctly implementing a
> UDP server in the Unix socket interface is more difficult than it should
> be, our server network loop is very complicated.  Deferring this issue to
> inetd would have a small UI footprint and would add a small amount of
> additional complexity.  Adding specific address configuration would have a
> larger UI footprint and a larger increase in complexity, I expect.  But
> it's something we could still consider.

It sounds like it could.  Would such a setup end up firing up a
different KDC (or kadmind) process for each listening address that
received traffic?

Yes.  That's how intend works.  Note the each krb5kdc instance could still run a number of worker process larger than one.

Nico
--  
Date: Fri, 25 May 2012 02:13:58 -0500
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
From: Nico Williams <nico103@gmail.com>
To: "rt-comment@krbdev.mit.edu" <rt-comment@krbdev.mit.edu>, "rt@krbdev.mit.edu" <rt@krbdev.mit.edu>
RT-Send-Cc:


On Thursday, May 24, 2012, Greg Hudson via RT wrote:
Show quoted text
That would depend on the capabilities of the inetd daemon, but I suspect
that for common inetd implementations it would.

The way inetd starts wait services is so ingrained into daemons that support inetd that any change to it would have to be optional and would take a long time to be adopted.  Still, if you can find an inetd daemon that can do this then we could make krb5kdc support it.

Nico
-- 
Date: Fri, 25 May 2012 02:13:58 -0500
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
From: Nico Williams <nico103@gmail.com>
To: "rt-comment@krbdev.mit.edu" <rt-comment@krbdev.mit.edu>, "rt@krbdev.mit.edu" <rt@krbdev.mit.edu>
RT-Send-Cc:


On Thursday, May 24, 2012, Greg Hudson via RT wrote:
Show quoted text
That would depend on the capabilities of the inetd daemon, but I suspect
that for common inetd implementations it would.

The way inetd starts wait services is so ingrained into daemons that support inetd that any change to it would have to be optional and would take a long time to be adopted.  Still, if you can find an inetd daemon that can do this then we could make krb5kdc support it.

Nico
-- 
Date: Fri, 25 May 2012 11:28:55 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: Nico Williams via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
RT-Send-Cc:
On Fri, May 25, 2012 at 03:14:10AM -0400, Nico Williams via RT wrote:
Show quoted text
> The way inetd starts wait services is so ingrained into daemons that
> support inetd that any change to it would have to be optional and would
> take a long time to be adopted. Still, if you can find an inetd daemon
> that can do this then we could make krb5kdc support it.

The one I had in mind was systemd:
http://www.freedesktop.org/software/systemd/man/systemd.socket.html

In newer releases we still start the daemons as regular services, but
being able to have systemd wait to fire them up until clients first
attempt to talk to them could be handy.

Nalin
Date: Sat, 26 May 2012 02:15:45 -0500
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
From: Nico Williams <nico103@gmail.com>
To: "rt-comment@krbdev.mit.edu" <rt-comment@krbdev.mit.edu>, "rt@krbdev.mit.edu" <rt@krbdev.mit.edu>
RT-Send-Cc:
On Friday, May 25, 2012, nalin@redhat.com via RT wrote:
Show quoted text
On Fri, May 25, 2012 at 03:14:10AM -0400, Nico Williams via RT wrote:
> The way inetd starts wait services is so ingrained into daemons that
> support inetd that any change to it would have to be optional and would
> take a long time to be adopted.  Still, if you can find an inetd daemon
> that can do this then we could make krb5kdc support it.

The one I had in mind was systemd:
http://www.freedesktop.org/software/systemd/man/systemd.socket.html

In newer releases we still start the daemons as regular services, but
being able to have systemd wait to fire them up until clients first
attempt to talk to them could be handy.

Ok, yeah, systems can do what you, or so it seems from the link you posted.

Nico
--  
Date: Sat, 26 May 2012 02:15:45 -0500
Subject: Re: [krbdev.mit.edu #6742] would like to be able to specify listening address for krb5kdc and kadmind
From: Nico Williams <nico103@gmail.com>
To: "rt-comment@krbdev.mit.edu" <rt-comment@krbdev.mit.edu>, "rt@krbdev.mit.edu" <rt@krbdev.mit.edu>
RT-Send-Cc:
On Friday, May 25, 2012, nalin@redhat.com via RT wrote:
Show quoted text
On Fri, May 25, 2012 at 03:14:10AM -0400, Nico Williams via RT wrote:
> The way inetd starts wait services is so ingrained into daemons that
> support inetd that any change to it would have to be optional and would
> take a long time to be adopted.  Still, if you can find an inetd daemon
> that can do this then we could make krb5kdc support it.

The one I had in mind was systemd:
http://www.freedesktop.org/software/systemd/man/systemd.socket.html

In newer releases we still start the daemons as regular services, but
being able to have systemd wait to fire them up until clients first
attempt to talk to them could be handy.

Ok, yeah, systems can do what you, or so it seems from the link you posted.

Nico
--  
Actual feature request will be tracked in #6742.
From: ghudson@mit.edu
Subject: git commit

Add ability to bind addresses to the net-server

The net-server.c logic can accept individual addresses to bind to
using the standard host:port string format, in a list with a comma
delimiter.

Since pktinfo support was removed, users with systems lacking
pktinfo that have multiple NICs may specify each of the local
addresses directly that kadmind or krb5kdc should listen on in
kdc.conf.

[ghudson@mit.edu: edited comments and variable names; simplified
setup_socket()]

https://github.com/krb5/krb5/commit/28ce679a2934ad90387a0de63059444da123ff9e
Author: Sarah Day <sarahday@mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 28ce679a2934ad90387a0de63059444da123ff9e
Branch: master
src/include/net-server.h | 29 ++-
src/kadmin/server/ovsec_kadmd.c | 13 +-
src/kdc/main.c | 4 +-
src/lib/apputils/net-server.c | 671 ++++++++++++++++++++++-----------------
4 files changed, 419 insertions(+), 298 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Allow user to restrict kadmind bind addresses

kadmind has always only supported binding to the wildcard addresses.
Add three configuration options to allow specifying the address/port
that kadmind listens on for kpasswd, kadmin, and iprop connections.

[ghudson@mit.edu: edited documentation; minimized changes to
setup_loop(); added iprop_listen]

https://github.com/krb5/krb5/commit/aa91cb5dbbd4356c7a9069f4f52a10f70d91bc00
Author: Sarah Day <sarahday@mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: aa91cb5dbbd4356c7a9069f4f52a10f70d91bc00
Branch: master
doc/admin/conf_files/kdc_conf.rst | 55 +++++++++++++++++++++++++++--
src/include/k5-int.h | 3 ++
src/kadmin/server/ovsec_kadmd.c | 14 +++++---
src/lib/kadm5/admin.h | 10 +++--
src/lib/kadm5/alt_prof.c | 8 ++++
src/man/kdc.conf.man | 68 +++++++++++++++++++++++++++++++++----
6 files changed, 138 insertions(+), 20 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Allow user to restrict KDC to specific addresses

krb5kdc has always only supported binding to the wildcard addresses.
Add two configuration options to allow specifying the address/port
that krb5kdc listens on for UDP and TCP connections.

[ghudson@mit.edu: edited documentation; preserved kdc_ports = ""
behavior; made kdc_ports and kdc_tcp_ports continue to work in
kdcdefaults section]

https://github.com/krb5/krb5/commit/5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae
Author: Sarah Day <sarahday@mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae
Branch: master
doc/admin/conf_files/kdc_conf.rst | 53 +++++++++---
doc/admin/install_kdc.rst | 3 +-
doc/admin/pkinit.rst | 2 +-
src/config-files/kdc.conf | 6 +-
src/include/k5-int.h | 2 +
src/kadmin/testing/proto/kdc.conf.proto | 4 +-
src/kdc/main.c | 140 ++++++++++++++++---------------
src/kdc/realm_data.h | 4 +-
src/man/kdc.conf.man | 55 +++++++++---
src/tests/dejagnu/config/default.exp | 24 +++---
src/util/k5test.py | 4 +-
11 files changed, 179 insertions(+), 118 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Fix recent change to kdcdefaults processing

When falling back to reading kdc_tcp_ports from [kdcdefaults], assign
the result to the correct variable.

https://github.com/krb5/krb5/commit/5eb0d447050c688b1003ad7d5cd0e2e733187298
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5eb0d447050c688b1003ad7d5cd0e2e733187298
Branch: master
src/kdc/main.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)