[31346] in Kerberos
RE: IPv6 handling in SASL LDAP binding
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Fri Aug 7 04:29:55 2009
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Russ Allbery <rra@stanford.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 7 Aug 2009 16:28:36 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172E71C06A44@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <87ocqtdjib.fsf@windlord.stanford.edu>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> -----Original Message-----
> From: kerberos-bounces@mit.edu
> [mailto:kerberos-bounces@mit.edu] On Behalf Of Russ Allbery
> Sent: Thursday, August 06, 2009 11:56 PM
> To: kerberos@mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
>
> I have no idea if Cyrus SASL supports IPv6 or not, but try
> using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead. The
> brackets disambiguate
> IPv6 address literals from hostnames with ports.
After kinit, there is a Kerberos TGT:
===================================================
qxu@durian(pts/2):/usr/lib[115]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100@XCIPV6.COM
Valid starting Expires Service principal
08/07/09 13:19:18 08/07/09 23:20:45 krbtgt/XCIPV6.COM@XCIPV6.COM
renew until 08/08/09 13:19:18
08/07/09 13:22:00 08/07/09 23:20:45 ldap/crius.xcipv6.com@XCIPV6.COM
renew until 08/08/09 13:19:18
Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached
===================================================
Since it seems MozLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com@XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?
My problem is that after the user logs in, Cyrus-SASL can't find the Kerberos server to send out TGS-REQ. However, locating the Kerberos server seems somewhat beyond MozLDAP and Cyrus-SASL. Thus, I feel something is wrong in MIT Kerberos plugin "libgssapi_krb5.so".
Still, it is strange that although DNS resolves the Kerberos server's hostname to IPv6 address, kinit is successful shows that the server can be located. How come when in doing SASL binding the server (with IPv6 address) can't be located?
Kind of confused...
Xu Qiang
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
