IPv6 handling in SASL LDAP binding

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Thu Aug 13 03:26:51 EDT 2009 

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Xu, Qiang (FXSGSC)
> Sent: Tuesday, August 11, 2009 10:12 AM
> To: Andrew Cobaugh
> Cc: kerberos at mit.edu
> Subject: RE: IPv6 handling in SASL LDAP binding
> 
> Our printer has a WebUI, that enables us to configure 
> Kerberos server through web page. By "configured the Kerberos 
> server with hostname", I mean doing it from WebUI. Our 
> printer has another DNS option, "Prefer IPv6 address over 
> IPv4 address", to prioritize on IPv6 address in resolving 
> hostnames. Thus, when the Kerberos server's hostname is 
> configured by hostname, DNS will return an IPv6 address in 
> response, and write the value into "/etc/krb5.conf".
> 
> When "/etc/krb5.conf" is configured with IPv4 address: 
> ================================================
> [libdefaults]
> 	default_realm = XCIPV6.COM
> 
> [realms]
> 	XCIPV6.COM = {
> 		kdc = 13.198.97.42:88
> 	}
> ================================================
> SASL binding is successful, with all network traffic on IPv4 protocol.
> 
> In contrast, when "/etc/krb5.conf" has kdc in IPv6 form: 
> ================================================
> [libdefaults]
> 	default_realm = XCIPV6.COM
> 
> [realms]
> 	XCIPV6.COM = {
> 		kdc = [3ffe:2000:0:1::100]:88
> 	}
> ================================================
> SASL binding will fail.
> 
> The failing network trace has the following DNS query: 
> ================================================
> 953	29.970599	13.198.98.117	13.198.97.42	DNS	
> Standard query AAAA [3ffe.xcipv6.com
> 954	29.970621	13.198.97.42	13.198.98.117	DNS	
> Standard query response, No such name
> ================================================
> Note that the AAAA DNS query begins with "[3ffe", which is 
> retrieved from "/etc/krb5.conf". The failure of this DNS 
> query is expected.
> 
> The problem in SASL LDAP binding is it can't locate the 
> Kerberos server (due to the above reason), hence TGS-REQ 
> can't be initiated. To my knowledge, the locating of Kerberos 
> server is done by Cyrus-SASL plugin (libgssapiv2.so) calling 
> MIT Kerberos V5 plugin (libgssapi_krb5.so), so I guess the 
> former has some problem in handling IPv6 address configured 
> in "/etc/krb5.conf".
> 
> Still, the IPv6 address can be handled correctly by "kinit" 
> and the Kerberos server can be found when authentication is 
> done. I am not sure if kinit and libgssapi_krb5.so are 
> compiled in the same MIT source package. If the answer is 
> yes, then it is quite weird that kinit can handle IPv6 
> address, while libgssapi_krb5.so can't. If the answer is no, 
> then it is more understandable. 

Could anyone tell me which function in libgssapi_krb5.so is supposed to use /etc/krb5.conf to find whereabout of the server?

Thanks,
Xu Qiang

More information about the Kerberos mailing list