Skip Menu |
 

Subject: "Invalid argument" error for nonexistent KDC hostname
Download (untitled) / with headers
text/plain 1.4KiB
On Ubuntu 12.04 and some other glibc-based platforms, if you put an
invalid KDC hostname for krb5.conf, you may see an error like this from
krb5 1.10 and later:

kinit: Invalid argument while getting initial credentials

This happens because getaddrinfo returns EAI_NODATA, but that symbol
isn't visible to sendto_kdc.c because <netdb.h> doesn't define it (it
only does if _GNU_SOURCE is defined). So translate_ai_error doesn't
know how to translate the error, and returns EINVAL instead of 0 like
it's supposed to. (I'm not sure we'd produce a good error message if
translate_ai_error did return 0; that may be a secondary bug.)

I don't think this is correct behavior from getaddrinfo. EAI_NODATA is
documented as meaning "The specified network host exists, but does not
have any network addresses defined" which doesn't match getting an
NXDOMAIN from the DNS request. This odd behavior is specific to calling
getaddrinfo with the AI_ADDRCONFIG flag (or with a null hint); if you
invoke it without AI_ADDRCONFIG, you get EAI_NONAME instead. Since krb5
1.9 and prior call getaddrinfo without AI_ADDRCONFIG, they don't have
this bug.

Whether this is a getaddrinfo bug is mostly immaterial, since we want to
be able to recognize and translate legitimate EAI_NODATA errors
regardless. The simplest way to do that would be to define _GNU_SOURCE
when building krb5. That could have subtle implications elsewhere in
the code base, but those implications are generally positive.
Nalin suggested using AC_USE_SYSTEM_EXTENSIONS, which tries to define
the "use all system extensions" flags on various systems (_GNU_SOURCE
with glibc, __EXTENSIONS__ and _POSIX_PTHREAD_SEMANTICS on Solaris,
etc.).

Tom is wary that defining symbols like this in a library might make it
incompatible with an application which doesn't use those symbols. The
potential exists (for instance, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=40411 and its referents
document issues which can arise from using the native "-xc99=all" on
Solaris), but we don't have any specific knowledge of such an issue
arising just from defining symbols.

However, _GNU_SOURCE does have at least one detrimental effect: it
causes the Gnu version of strerror_r to be used instead of the default
POSIX version, which would require us to conditionalize every place we
use that function. (The standard version returns an int and always puts
the result in the caller buffer; the Gnu version returns a char * which
may point to the buffer or may point somewhere else.)
Resolved by #7961.