enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #06225
[Bug 1688121] [NEW] KDC/kadmind explicit wildcard listener addresses do not use pktinfo
Public bug reported:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
TL;DR when kinit uses udp on an aliased interface address, server
responds with the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH:
sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@xxxxxxxxxxx
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/EXAMPLE.ORG@xxxxxxxxxxx
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP:
1 0.000000000 10.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.000566682 10.0.5.55 → 10.0.5.55 KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.003231507 10.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55 TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128
5 1.003302614 10.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.003545204 10.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55 TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55 KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
** Affects: krb5 (Ubuntu)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Description changed:
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
- TL;DR obtaining a ticket (kinit) takes longer when talking to the kdc on
- an aliased interface (i.e. eth0:1)
+ TL;DR when kinit uses udp on an aliased interface, server responds with
+ the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH:
sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@xxxxxxxxxxx
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/EXAMPLE.ORG@xxxxxxxxxxx
- renew until 05/04/2017 21:22:08
+ renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e):
[realms]
- EXAMPLE.ORG = {
- kdc = 10.0.5.155
- admin_server = 10.0.5.155
+ EXAMPLE.ORG = {
+ kdc = 10.0.5.155
+ admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP:
- 1 0.000000000 10.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
- 2 0.000566682 10.0.5.55 → 10.0.5.55 KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
+ 1 0.000000000 10.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
+ 2 0.000566682 10.0.5.55 → 10.0.5.55 KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
- 3 1.003231507 10.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
- 4 1.003269692 10.0.5.155 → 10.0.5.55 TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128
- 5 1.003302614 10.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
- 6 1.003545204 10.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
- 7 1.003567693 10.0.5.155 → 10.0.5.55 TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
- 8 1.003799664 10.0.5.155 → 10.0.5.55 KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
+ 3 1.003231507 10.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
+ 4 1.003269692 10.0.5.155 → 10.0.5.55 TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128
+ 5 1.003302614 10.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
+ 6 1.003545204 10.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
+ 7 1.003567693 10.0.5.155 → 10.0.5.55 TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
+ 8 1.003799664 10.0.5.155 → 10.0.5.55 KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
** Description changed:
+ This is fixed in artful in krb5 1.15-2
+
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
TL;DR when kinit uses udp on an aliased interface, server responds with
the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH:
sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@xxxxxxxxxxx
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/EXAMPLE.ORG@xxxxxxxxxxx
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP:
1 0.000000000 10.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.000566682 10.0.5.55 → 10.0.5.55 KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.003231507 10.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55 TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128
5 1.003302614 10.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.003545204 10.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55 TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55 KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
- TL;DR when kinit uses udp on an aliased interface, server responds with
- the wrong source IP
+ TL;DR when kinit uses udp on an aliased interface address, server
+ responds with the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH:
sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@xxxxxxxxxxx
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/EXAMPLE.ORG@xxxxxxxxxxx
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP:
1 0.000000000 10.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.000566682 10.0.5.55 → 10.0.5.55 KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.003231507 10.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55 TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128
5 1.003302614 10.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.003545204 10.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55 TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55 KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to krb5 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1688121
Title:
KDC/kadmind explicit wildcard listener addresses do not use pktinfo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions
Follow ups
