krb5kdc crashes

Ken Raeburn raeburn at MIT.EDU
Tue Apr 2 22:50:22 EST 2002


jfanonymouswindows at yahoo.com writes:
> I'm new to kerberos. I got Kerberos 5-1.2.4 and built it from source.
> 
> I have a GNU/Linux system (Linux 2.4.18, everything up to date)
> 
> And I get this:
> 
> Apr 03 00:47:48 brick.hn.org krb5kdc[15053](info): setting up network...
> Apr 03 00:47:48 brick.hn.org krb5kdc[15053](info): setting up network...
> Apr 03 00:47:48 brick.hn.org krb5kdc[15053](info): set up 0 sockets
> Apr 03 00:47:48 brick.hn.org krb5kdc[15053](info): set up 0 sockets
> krb5kdc: no sockets set up?
> krb5kdc: no sockets set up?

Well, that's not exactly a crash, it's decided it doesn't have any
network interfaces and quietly exits.  But that's quibbling....

The question is, why does it decide it has no network interfaces?
When you try to start it up, *is* the machine configured to have
network addresses at the time?  (As opposed to being, say, a
disconnected laptop.)  If so, somehow the SIOCGIFCONF support in
kdc/network.c (and nearly-identical code in lib/krb5/os/localaddr.c)
is failing to detect them.  It does filter out the loopback interface
("lo", 127.0.0.1) and interfaces that are not configured "up", and it
only handles IPv4, not IPv6.

Because of the way the IPv4 socket interface works, the KDC needs to
find all of the local IPv4 network addresses and listen on them.  One
listening socket with a wildcard address won't do, because on a
multi-homed machine, the KDC can't control the IP address used to send
the response, and if that address is wrong, the response will be
discarded.  I've got some other ideas in mind I might try coding up
for future releases, such as using the wildcard socket to determine
when the machine has acquired an address the KDC didn't know about
when it started up, as a signal that it should re-check the local
addresses.  It still can't usefully process the packet it got *if* the
machine has multiple addresses, but if it has only one, it's probably
a safe bet that that one address is the one the client is expecting
the KDC to use.

Ken



More information about the Kerberos mailing list