IPv6 handling in SASL LDAP binding

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Fri Aug 7 04:28:36 EDT 2009


> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Russ Allbery
> Sent: Thursday, August 06, 2009 11:56 PM
> To: kerberos at mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
> 
> I have no idea if Cyrus SASL supports IPv6 or not, but try 
> using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead.  The 
> brackets disambiguate
> IPv6 address literals from hostnames with ports.

After kinit, there is a Kerberos TGT:
===================================================
qxu at durian(pts/2):/usr/lib[115]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100 at XCIPV6.COM

Valid starting     Expires            Service principal
08/07/09 13:19:18  08/07/09 23:20:45  krbtgt/XCIPV6.COM at XCIPV6.COM
        renew until 08/08/09 13:19:18
08/07/09 13:22:00  08/07/09 23:20:45  ldap/crius.xcipv6.com at XCIPV6.COM
        renew until 08/08/09 13:19:18


Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached
===================================================
Since it seems MozLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com at XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it?

My problem is that after the user logs in, Cyrus-SASL can't find the Kerberos server to send out TGS-REQ. However, locating the Kerberos server seems somewhat beyond MozLDAP and Cyrus-SASL. Thus, I feel something is wrong in MIT Kerberos plugin "libgssapi_krb5.so".

Still, it is strange that although DNS resolves the Kerberos server's hostname to IPv6 address, kinit is successful shows that the server can be located. How come when in doing SASL binding the server (with IPv6 address) can't be located?

Kind of confused...
Xu Qiang




More information about the Kerberos mailing list