[31456] in Kerberos
Re: kpasswd changes password successfully but also complains about
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Sep 9 09:48:27 2009
To: Jan Sanders <jsanders@TechFak.Uni-Bielefeld.DE>
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 09 Sep 2009 09:48:04 -0400
In-Reply-To: <4AA79F57.4010005@TechFak.Uni-Bielefeld.DE> (Jan Sanders's
message of "Wed, 9 Sep 2009 08:28:07 -0400")
Message-ID: <ldv1vmgb563.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: "Kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jan Sanders <jsanders@TechFak.Uni-Bielefeld.DE> writes:
> Hello List,
>
> on my client machine I can get kerberos tickets for my principal using
> the correct principalname-password combination. I can also use kadmin on
> the client machine providing the correct principalname-password
> combination for an admin principal. Changing the password for a
> principal is no problem using kadmin.
> But then I trzy to use kpasswd on the client machine. I provide kpasswd
> with correct the principalname-password combination and twiche state
> what the new password should be and then I wait for a couple of seconds
> before kpasswd returns.
> On returning it complains: Cannot contact any KDC for requested realm
> But it also changed the password. After invoking kpasswd and observing
> the above stated behaviour I have to provide the new password to obtain
> a ticket.
> Even though kpasswd works as advertised (changes the password) it will
> cause some trouble telling users that the error message can safely be
> ignored (if it can!!).
>
> Using strace I could see some timeouts of select syscalls.
> kpasswd obtained a file descriptor for an IP connection, connects to the
> KDC and successfully sends 490 byte of data.
> Then kpasswd uses the select syscall to monitor the filedescriptor which
> times out twice.
> kpasswd resends the 490 bytes and again waits for two select syscalls to
> time out.
> Then again and finally returns with the "Cannot contact any KDC for
> requested realm" complaint.
>
> strace was invoked like this:
> #strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc
>
> What strikes me is the invocation of the select syscall. According to
> the select specification the first parameter of the syscall is the
> number of monitored file descriptors + 1. The select calls as used here
> only monitor 2 file descriptors (better: one filedescriptor is monitored
> twice). The number of file descriptors is set to 5. I do not know how
> select behaves when invoked like that and it seems not to be specified.
I believe the call to select() is correct. The first parameter should
be an integer that is one greater than the number of the
highest-numbered file descriptor, i.e., the highest-numbered file
descriptor that select() should look at here is file descriptor #4,
which means that select(5, ....) is correct.
What is probably happening is that the UDP reply packet from the KDC's
kpasswd service is not reaching you, which is could be caused by a
firewall or other factors related to network topology. Can you get a
packet trace on UDP port 464, both on the client's network and on the
KDC's network?
> The (slightly sanitized) output of strace starting from the socket
> request for connecting to the KDC:
>
> 8006 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
> 8006 connect(4, {sa_family=AF_INET, sin_port=htons(464),
> sin_addr=inet_addr("[IP of KDC]")}, 16) = 0
> 8006 getsockname(4, {sa_family=AF_INET, sin_port=htons(35498),
> sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0
> 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490
> 8006 gettimeofday({1252498115, 459404}, NULL) = 0
> 8006 gettimeofday({1252498115, 459444}, NULL) = 0
> 8006 select(5, [4], [], [4], {0, 999960}) = 0 (Timeout)
> 8006 gettimeofday({1252498116, 457725}, NULL) = 0
> 8006 gettimeofday({1252498116, 457765}, NULL) = 0
> 8006 select(5, [4], [], [4], {2, 1639}) = 0 (Timeout)
> 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490
> 8006 gettimeofday({1252498118, 462172}, NULL) = 0
> 8006 gettimeofday({1252498118, 462214}, NULL) = 0
> 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
> 8006 gettimeofday({1252498119, 461724}, NULL) = 0
> 8006 gettimeofday({1252498119, 461763}, NULL) = 0
> 8006 select(5, [4], [], [4], {4, 409}) = 0 (Timeout)
> 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490
> 8006 gettimeofday({1252498123, 466171}, NULL) = 0
> 8006 gettimeofday({1252498123, 466213}, NULL) = 0
> 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
> 8006 gettimeofday({1252498124, 465728}, NULL) = 0
> 8006 gettimeofday({1252498124, 465767}, NULL) = 0
> 8006 select(5, [4], [], [4], {8, 404}) = 0 (Timeout)
> 8006 close(4) = 0
> 8006 write(2, "kpasswd", 7) = 7
> 8006 write(2, ": ", 2) = 2
> 8006 write(2, "Cannot contact any KDC for requested realm", 42) = 42
> 8006 write(2, " ", 1) = 1
> 8006 write(2, "changing password", 17) = 17
> 8006 write(2, "\r\n", 2) = 2
> 8006 exit_group(1) = ?
>
> End of strace output.
>
>
> I hope all this is helpful for finding the cause of the "Cannot contact
> ..." error.
>
> cheers
>
> Jan Sanders
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
