IPv6 handling in SASL LDAP binding

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Thu Aug 13 21:22:33 EDT 2009 

> -----Original Message-----
> From: Andrew Cobaugh [mailto:phalenor at gmail.com] 
> Sent: Thursday, August 13, 2009 8:36 PM
> To: Xu, Qiang (FXSGSC)
> Cc: Alexey Melnikov; kerberos at mit.edu
> Subject: Re: IPv6 handling in SASL LDAP binding
> 
> On Thu, Aug 13, 2009 at 6:41 AM, Xu, Qiang 
> (FXSGSC)<Qiang.Xu at fujixerox.com> wrote:
> >
> > P.S. Can I ask why the numerical IPv6 address is not 
> supported in MIT distribution?
> 
> Using IP addresses in files like krb5.conf is generally 
> discouraged, as it's easier to change a single entry in dns 
> than it is to change a file on every machine. We don't even 
> specify the kdcs in krb5.conf in our environment, relying 
> entirely on srv records for kdc discovery.
> 
> I suppose this could be considered a bug, if anyone cared.

In my testing, I found both hostname and IPv4 address works for kinit (in original MIT distribution), but not IPv6 address: 
=========================================================
/* The content of /etc/krb5.conf with hostname */
[realms]
 XCIPV6.COM = {
  kdc = crius:88
  default_domain = xcipv6.com
 }

/* Kerberos authentication result */
qxu at durian(pts/3):/etc[117]$ kinit XCTEST100 at XCIPV6.COM
Password for XCTEST100 at XCIPV6.COM:
qxu at durian(pts/3):/etc[118]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100 at XCIPV6.COM

Valid starting     Expires            Service principal
08/14/09 09:02:48  08/14/09 19:03:53  krbtgt/XCIPV6.COM at XCIPV6.COM
        renew until 08/15/09 09:02:48

/* The content of /etc/krb5.conf with IPv4 */
[realms]
 XCIPV6.COM = {
  kdc = 13.198.97.42:88
  default_domain = xcipv6.com
 }

/* Kerberos authentication result */
qxu at durian(pts/3):/etc[122]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: XCTEST100 at XCIPV6.COM

Valid starting     Expires            Service principal
08/14/09 09:05:14  08/14/09 19:05:39  krbtgt/XCIPV6.COM at XCIPV6.COM
        renew until 08/15/09 09:05:14

/* The content of /etc/krb5.conf with IPv6 address */
[realms]
 XCIPV6.COM = {
  kdc = [3ffe:2000:0:1::100]:88
  default_domain = xcipv6.com
 }

/* Kerberos authentication result */
qxu at durian(pts/3):/etc[112]$ kinit XCTEST100 at XCIPV6.COM
kinit(v5): Cannot resolve network address for KDC in realm XCIPV6.COM while getting initial credentials
=========================================================
Personally, I think if numerical IPv4 address is supported for kdc entry in /etc/krb5.conf, so should be for numerical IPv6 address. 

Would MIT developers want to fix this as a bug? The related source code is the function "krb5_locate_srv_conf_1()" in the file "krb5-1.7/src/lib/krb5/os/locate_kdc.c".

Thanks,
Xu Qiang

More information about the Kerberos mailing list