enterprise-support team mailing list archive

[Andreas Hasenack <andreas@xxxxxxxxxxxxx>]

Public bug reported:

This is fixed in artful in krb5 1.15-2

- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

getaddrinfo() called on a wildcard address might return the IPv6 "::1"
address. On machines without IPv6 support, binding to it will likely
fail and the kdc/kadmin services won't start.

Steps to reproduce the problem on zesty:

a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers

b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted

c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
 4275 ?        Ss     0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
 4306 ?        Ss     0:00 /usr/sbin/kadmind -nofork

d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for ubuntu@xxxxxxxxxxx: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@xxxxxxxxxxx

Valid starting       Expires              Service principal
05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/EXAMPLE.ORG@xxxxxxxxxxx
	renew until 05/05/2017 14:20:13

e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6       0      0 :::88                   :::*                    LISTEN      1078/krb5kdc        
tcp6       0      0 :::749                  :::*                    LISTEN      1065/kadmind        
tcp6       0      0 :::464                  :::*                    LISTEN      1065/kadmind        
udp6       0      0 :::88                   :::*                                1078/krb5kdc        
udp6       0      0 :::464                  :::*                                1065/kadmind        
udp6       0      0 :::750                  :::*                                1078/krb5kdc        

f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot

f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$

g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log 
May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750)

** Affects: krb5 (Ubuntu)
     Importance: Undecided
     Assignee: Andreas Hasenack (ahasenack)
         Status: In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to krb5 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions