[31368] in Kerberos
RE: IPv6 handling in SASL LDAP binding
daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Thu Aug 13 03:28:15 2009
From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Andrew Cobaugh <phalenor@gmail.com>
Date: Thu, 13 Aug 2009 15:26:51 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172E71CB6B6B@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C172E71C2298A@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> -----Original Message-----
> From: kerberos-bounces@mit.edu
> [mailto:kerberos-bounces@mit.edu] On Behalf Of Xu, Qiang (FXSGSC)
> Sent: Tuesday, August 11, 2009 10:12 AM
> To: Andrew Cobaugh
> Cc: kerberos@mit.edu
> Subject: RE: IPv6 handling in SASL LDAP binding
>
> Our printer has a WebUI, that enables us to configure
> Kerberos server through web page. By "configured the Kerberos
> server with hostname", I mean doing it from WebUI. Our
> printer has another DNS option, "Prefer IPv6 address over
> IPv4 address", to prioritize on IPv6 address in resolving
> hostnames. Thus, when the Kerberos server's hostname is
> configured by hostname, DNS will return an IPv6 address in
> response, and write the value into "/etc/krb5.conf".
>
> When "/etc/krb5.conf" is configured with IPv4 address:
> ================================================
> [libdefaults]
> default_realm = XCIPV6.COM
>
> [realms]
> XCIPV6.COM = {
> kdc = 13.198.97.42:88
> }
> ================================================
> SASL binding is successful, with all network traffic on IPv4 protocol.
>
> In contrast, when "/etc/krb5.conf" has kdc in IPv6 form:
> ================================================
> [libdefaults]
> default_realm = XCIPV6.COM
>
> [realms]
> XCIPV6.COM = {
> kdc = [3ffe:2000:0:1::100]:88
> }
> ================================================
> SASL binding will fail.
>
> The failing network trace has the following DNS query:
> ================================================
> 953 29.970599 13.198.98.117 13.198.97.42 DNS
> Standard query AAAA [3ffe.xcipv6.com
> 954 29.970621 13.198.97.42 13.198.98.117 DNS
> Standard query response, No such name
> ================================================
> Note that the AAAA DNS query begins with "[3ffe", which is
> retrieved from "/etc/krb5.conf". The failure of this DNS
> query is expected.
>
> The problem in SASL LDAP binding is it can't locate the
> Kerberos server (due to the above reason), hence TGS-REQ
> can't be initiated. To my knowledge, the locating of Kerberos
> server is done by Cyrus-SASL plugin (libgssapiv2.so) calling
> MIT Kerberos V5 plugin (libgssapi_krb5.so), so I guess the
> former has some problem in handling IPv6 address configured
> in "/etc/krb5.conf".
>
> Still, the IPv6 address can be handled correctly by "kinit"
> and the Kerberos server can be found when authentication is
> done. I am not sure if kinit and libgssapi_krb5.so are
> compiled in the same MIT source package. If the answer is
> yes, then it is quite weird that kinit can handle IPv6
> address, while libgssapi_krb5.so can't. If the answer is no,
> then it is more understandable.
Could anyone tell me which function in libgssapi_krb5.so is supposed to use /etc/krb5.conf to find whereabout of the server?
Thanks,
Xu Qiang
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
