Date: | Tue, 16 Jun 2009 17:23:26 -0400 |
From: | Ed Ravin <eravin@panix.com> |
To: | krb5-bugs@mit.edu |
Subject: | krb-1.7 kadmind not logging IP address of requests |
Using NetBSD 5.0 on Intel. Upgraded from krb5-1.6.3 with patches to
krb5-1.7. kadmind logging now looks like this:
Jun 16 16:35:36 juggler.panix.com kadmind[14915](Notice): chpw request from <unprintable> for elr@PANIX.COM: success
Looked a little deeper - it's this code in src/kadmin/server/schpw.c
that is kicking in:
if (getnameinfo(ss2sa(&ss), salen,
addrbuf, sizeof(addrbuf), NULL, 0,
NI_NUMERICHOST | NI_NUMERICSERV) != 0)
strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf));
And the return code from getnameinfo was 4 (name resolution failure).
I'm confused by this code, which appears in several spots in krb5 - it
seems to disable logging of source IP addresses of requests if there's
a local resolution error? Why not just show the IP address and leave it
at that?
My build process gave these flags to ./configure (same as what we used for
previous versions):
configflags="\
--prefix=/pkg/$PRODUCT \
--mandir=/pkg/$PRODUCT/man \
CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2' \
--sysconfdir=/etc/kerberosV \
--localstatedir=/var \
--libdir=/pkg/$PRODUCT/kerblib \
--enable-shared \
"
krb5-config info:
-I/pkg/krb5-1.7/include
-L/pkg/krb5-1.7/kerblib -R/pkg/krb5-1.7/kerblib -lkrb5 -lk5crypto -lcom_err -lresolv
Thanks,
-- Ed
krb5-1.7. kadmind logging now looks like this:
Jun 16 16:35:36 juggler.panix.com kadmind[14915](Notice): chpw request from <unprintable> for elr@PANIX.COM: success
Looked a little deeper - it's this code in src/kadmin/server/schpw.c
that is kicking in:
if (getnameinfo(ss2sa(&ss), salen,
addrbuf, sizeof(addrbuf), NULL, 0,
NI_NUMERICHOST | NI_NUMERICSERV) != 0)
strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf));
And the return code from getnameinfo was 4 (name resolution failure).
I'm confused by this code, which appears in several spots in krb5 - it
seems to disable logging of source IP addresses of requests if there's
a local resolution error? Why not just show the IP address and leave it
at that?
My build process gave these flags to ./configure (same as what we used for
previous versions):
configflags="\
--prefix=/pkg/$PRODUCT \
--mandir=/pkg/$PRODUCT/man \
CFLAGS='-fstack-protector -D_FORTIFY_SOURCE=2' \
--sysconfdir=/etc/kerberosV \
--localstatedir=/var \
--libdir=/pkg/$PRODUCT/kerblib \
--enable-shared \
"
krb5-config info:
-I/pkg/krb5-1.7/include
-L/pkg/krb5-1.7/kerblib -R/pkg/krb5-1.7/kerblib -lkrb5 -lk5crypto -lcom_err -lresolv
Thanks,
-- Ed