Skip Menu |
 

Subject: krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf
A tcp kpasswd service is required if only admin_server is specified in
krb5.conf .

A patch for this bug is attached.
--- src/lib/krb5/os/changepw.c
+++ src/lib/krb5/os/changepw.c 2007/01/05 13:31:45
@@ -67,7 +67,7 @@

if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist,
- locate_service_kadmin, SOCK_STREAM, 0);
+ locate_service_kadmin, sockType, 0);
if (!code) {
/* Success with admin_server but now we need to change the
port number to use DEFAULT_KPASSWD_PORT. */
I do not believe that this patch is correct.

The SOCK_STREAM parameter to krb5int_locate_server does not determine
what type of connection is used to connect the kpasswd service. The
SOCK_STREAM parameter is specified so that the lookup of the DNS SRV
record for the kadmin service will be performed using '_tcp' as the
kadmin service is a TCP only service.

Changing SOCK_STREAM to 'sockType' will cause the DNS SRV query to use
'_udp' which should always fail.

This parameter is not used when searching the krb5.conf file.

Jeffrey Altman
Download (untitled) / with headers
text/plain 1.1KiB
[jaltman - Thu Jan 18 06:47:52 2007]:

Show quoted text
> The SOCK_STREAM parameter to krb5int_locate_server does not
> determine what type of connection is used to connect the kpasswd
> service. The SOCK_STREAM parameter is specified so that the lookup
> of the DNS SRV record for the kadmin service will be performed
> using '_tcp' as the kadmin service is a TCP only service.
>
> Changing SOCK_STREAM to 'sockType' will cause the DNS SRV query to
> use '_udp' which should always fail.
>
> This parameter is not used when searching the krb5.conf file.

Well, it is used. Here is the line how it is called:

changepw.c:krb5_locate_kpasswd
=> locate_kdc.c:krb5int_locate_server(..., socktype stream, ...)
=> locate_kdc.c:prof_locate_server(..., socktype stream, ...)
=> locate_kdc.c:krb5_locate_srv_conf_1(..., socktype stream, ...)
=> locate_kdc.c:[krb5int_]add_host_to_list(..., socktype
stream, ...)
{
hint.ai_socktype = socktype;
}

I can say: When I specify only kdc and admin_server in krb5.conf (no
DNS) this code tries to open a tcp connection to kpasswd service port
464. But kadmind does not open such a port. It has only a udp port
open.
Date: Thu, 18 Jan 2007 07:57:18 -0500
From: Jeffrey Altman <jaltman@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5393] krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
Public Submitter via RT wrote:
Show quoted text
>> This parameter is not used when searching the krb5.conf file.
>
> Well, it is used. Here is the line how it is called:
>
> changepw.c:krb5_locate_kpasswd
> => locate_kdc.c:krb5int_locate_server(..., socktype stream, ...)
> => locate_kdc.c:prof_locate_server(..., socktype stream, ...)
> => locate_kdc.c:krb5_locate_srv_conf_1(..., socktype stream, ...)
> => locate_kdc.c:[krb5int_]add_host_to_list(..., socktype
> stream, ...)
> {
> hint.ai_socktype = socktype;
> }
>
> I can say: When I specify only kdc and admin_server in krb5.conf (no
> DNS) this code tries to open a tcp connection to kpasswd service port
> 464. But kadmind does not open such a port. It has only a udp port
> open.

I suspect that patch that you are looking for is this. Please confirm
that it addresses your issue and I will commit it.

Index: changepw.c
===================================================================
--- changepw.c (revision 19063)
+++ changepw.c (working copy)
@@ -70,12 +70,14 @@
locate_service_kadmin,
SOCK_STREAM, 0);
if (!code) {
/* Success with admin_server but now we need to change the
- port number to use DEFAULT_KPASSWD_PORT. */
+ port number to use DEFAULT_KPASSWD_PORT and the socktype. */
int i;
for (i=0; i<addrlist->naddrs; i++) {
struct addrinfo *a = addrlist->addrs[i].ai;
if (a->ai_family == AF_INET)
sa2sin (a->ai_addr)->sin_port =
htons(DEFAULT_KPASSWD_PORT);
+ if (sockType != SOCK_STREAM)
+ a->ai_socktype == sockType;
}
}
}
Download (untitled) / with headers
text/plain 1.5KiB
[jaltman - Thu Jan 18 07:55:20 2007]:

Show quoted text
> I suspect that patch that you are looking for is this. Please
confirm
Show quoted text
> that it addresses your issue and I will commit it.
>
> Index: changepw.c
> ===================================================================
> --- changepw.c (revision 19063)
> +++ changepw.c (working copy)
> @@ -70,12 +70,14 @@
> locate_service_kadmin,
> SOCK_STREAM, 0);
> if (!code) {
> /* Success with admin_server but now we need to change
the
Show quoted text
> - port number to use DEFAULT_KPASSWD_PORT. */
> + port number to use DEFAULT_KPASSWD_PORT and the
socktype. */
Show quoted text
> int i;
> for (i=0; i<addrlist->naddrs; i++) {
> struct addrinfo *a = addrlist->addrs[i].ai;
> if (a->ai_family == AF_INET)
> sa2sin (a->ai_addr)->sin_port =
> htons(DEFAULT_KPASSWD_PORT);
> + if (sockType != SOCK_STREAM)
> + a->ai_socktype == sockType;
> }
> }
> }
>

Sorry, does not work. It still tries tcp. I confirmed that the
socktype was changed, but :

krb5int_sendto(callback=0xbfe3d3e8, addrlist=2{0x80055780=stream
10.10.101.132.464,0x800554e0=stream 10.10.101.132.464})
maybe_send(@0x8005543c) state=INITIALIZING type=tcp
abandoning connection 5: 22/Invalid Argument

Btw: If this call with static SOCK_STREAM is correct, why is call
three lines above

code = krb5int_locate_server (context, realm, addrlist,
locate_service_kpasswd, sockType, 0);

with sockType correct?
Date: Thu, 18 Jan 2007 09:41:10 -0500
From: Jeffrey Altman <jaltman@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5393] krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.2KiB
Public Submitter via RT wrote:

Show quoted text
> Btw: If this call with static SOCK_STREAM is correct, why is call
> three lines above
>
> code = krb5int_locate_server (context, realm, addrlist,
> locate_service_kpasswd, sockType, 0);
>
> with sockType correct?

This is correct because kpasswd is a service that exists for both
UDP and TCP. kadmind is only TCP.

Therefore, when the search occurs, you want to check krb5.conf first
and if there is no matching entry perform a DNS SRV record search for
the service type that you are looking for. For kpasswd you want to
search for _kpasswd._udp.REALM or _kpasswd._tcp.REALM depending on
the type of connection the caller wants to make.

There search for kadmin is there as a backup in case the kpasswd
entries were not created. There will only ever be a _kadmin._tcp.REALM
record so we must always search for SOCK_STREAM. That is why fixing
up the ai records after the lookup is the correct fix.

Since you have verified that ai_socktype is being set to the requested
value, I do not understand how src/krb5/lib/krb5/os/sendto_kdc.c
setup_connection() and start_connection() can be creating the wrong type
of connection.

Perhaps you can debug that further.
Date: Thu, 18 Jan 2007 09:56:11 -0500
From: Jeffrey Altman <jaltman@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5393] krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf
RT-Send-Cc:
The problem of course was a bug in the patch. == instead of =.
Here is the corrected version.


Index: changepw.c
===================================================================
--- changepw.c (revision 19063)
+++ changepw.c (working copy)
@@ -70,12 +70,14 @@
locate_service_kadmin,
SOCK_STREAM, 0);
if (!code) {
/* Success with admin_server but now we need to change the
- port number to use DEFAULT_KPASSWD_PORT. */
+ port number to use DEFAULT_KPASSWD_PORT and the socktype. */
int i;
for (i=0; i<addrlist->naddrs; i++) {
struct addrinfo *a = addrlist->addrs[i].ai;
if (a->ai_family == AF_INET)
sa2sin (a->ai_addr)->sin_port =
htons(DEFAULT_KPASSWD_PORT);
+ if (sockType != SOCK_STREAM)
+ a->ai_socktype = sockType;
}
}
}
[jaltman - Thu Jan 18 09:54:09 2007]:

Show quoted text
> The problem of course was a bug in the patch. == instead of =.
> Here is the corrected version.

Yes this was the problem. Now it works.
From: jaltman@mit.edu
Subject: SVN Commit
In addition to setting the kpasswd port after
searching for kadmind host addresses we must also
set the socket type according to the request.


Commit By: jaltman



Revision: 19070
Changed Files:
U trunk/src/lib/krb5/os/changepw.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r19070 from trunk

r19070@cathode-dark-space: jaltman | 2007-01-18 10:28:07 -0500
ticket: 5393
tags: pullup

In addition to setting the kpasswd port after
searching for kadmind host addresses we must also
set the socket type according to the request.




Commit By: tlyu



Revision: 19112
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/os/changepw.c