[31376] in Kerberos

home help back first fref pref prev next nref lref last post

RE: IPv6 handling in SASL LDAP binding

daemon@ATHENA.MIT.EDU (Xu, Qiang (FXSGSC))
Thu Aug 13 21:23:44 2009

From: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
To: Andrew Cobaugh <phalenor@gmail.com>
Date: Fri, 14 Aug 2009 09:22:33 +0800
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172E71CFA22A@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
In-Reply-To: <1b8d56200908130536q3335c4b5l1d2e327f9f7a7d3a@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
X-MAIL-FROM: <qiang.xu@fujixerox.com>
Cc: Alexey Melnikov <alexey.melnikov@isode.com>,
   "krbdev@mit.edu" <krbdev@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

> -----Original Message-----
> From: Andrew Cobaugh [mailto:phalenor@gmail.com] 
> Sent: Thursday, August 13, 2009 8:36 PM
> To: Xu, Qiang (FXSGSC)
> Cc: Alexey Melnikov; kerberos@mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
> 
> On Thu, Aug 13, 2009 at 6:41 AM, Xu, Qiang 
> (FXSGSC)<Qiang.Xu@fujixerox.com> wrote:
> >
> > P.S. Can I ask why the numerical IPv6 address is not 
> supported in MIT distribution?
> 
> Using IP addresses in files like krb5.conf is generally 
> discouraged, as it's easier to change a single entry in dns 
> than it is to change a file on every machine. We don't even 
> specify the kdcs in krb5.conf in our environment, relying 
> entirely on srv records for kdc discovery.
> 
> I suppose this could be considered a bug, if anyone cared.

In my testing, I found both hostname and IPv4 address works for kinit (in original MIT distribution), but not IPv6 address: 
=========================================================
/* The content of /etc/krb5.conf with hostname */
[realms]
 XCIPV6.COM = {
  kdc = crius:88
  default_domain = xcipv6.com
 }

/* Kerberos authentication result */
qxu@durian(pts/3):/etc[117]$ kinit XCTEST100@XCIPV6.COM
Password for XCTEST100@XCIPV6.COM:
qxu@durian(pts/3):/etc[118]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100@XCIPV6.COM

Valid starting     Expires            Service principal
08/14/09 09:02:48  08/14/09 19:03:53  krbtgt/XCIPV6.COM@XCIPV6.COM
        renew until 08/15/09 09:02:48

/* The content of /etc/krb5.conf with IPv4 */
[realms]
 XCIPV6.COM = {
  kdc = 13.198.97.42:88
  default_domain = xcipv6.com
 }

/* Kerberos authentication result */
qxu@durian(pts/3):/etc[122]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100@XCIPV6.COM

Valid starting     Expires            Service principal
08/14/09 09:05:14  08/14/09 19:05:39  krbtgt/XCIPV6.COM@XCIPV6.COM
        renew until 08/15/09 09:05:14

/* The content of /etc/krb5.conf with IPv6 address */
[realms]
 XCIPV6.COM = {
  kdc = [3ffe:2000:0:1::100]:88
  default_domain = xcipv6.com
 }

/* Kerberos authentication result */
qxu@durian(pts/3):/etc[112]$ kinit XCTEST100@XCIPV6.COM
kinit(v5): Cannot resolve network address for KDC in realm XCIPV6.COM while getting initial credentials
=========================================================
Personally, I think if numerical IPv4 address is supported for kdc entry in /etc/krb5.conf, so should be for numerical IPv6 address. 

Would MIT developers want to fix this as a bug? The related source code is the function "krb5_locate_srv_conf_1()" in the file "krb5-1.7/src/lib/krb5/os/locate_kdc.c".

Thanks,
Xu Qiang

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post