kpasswd changes password successfully but also complains about kdc not reachable

Jan Sanders jsanders at TechFak.Uni-Bielefeld.DE
Wed Sep 9 08:28:07 EDT 2009


Hello List,

on my client machine I can get kerberos tickets for my principal using 
the correct principalname-password combination. I can also use kadmin on 
the client machine providing the correct principalname-password 
combination for an admin principal. Changing the password for a 
principal is no problem using kadmin.
But then I trzy to use kpasswd on the client machine. I provide kpasswd 
with correct the principalname-password combination and twiche state 
what the new password should be and then I wait for a couple of seconds 
before kpasswd returns.
On returning it complains: Cannot contact any KDC for requested realm
But it also changed the password. After invoking kpasswd and observing 
the above stated behaviour I have to provide the new password to obtain 
a ticket.
Even though kpasswd works as advertised (changes the password) it will 
cause some trouble telling users that the error message can safely be 
ignored (if it can!!).

Using strace I could see some timeouts of select syscalls.
kpasswd obtained a file descriptor for an IP connection, connects to the 
KDC and successfully sends 490 byte of data.
Then kpasswd uses the select syscall to monitor the filedescriptor which 
times out twice.
kpasswd resends the 490 bytes and again waits for two select syscalls to 
time out.
Then again and finally returns with the "Cannot contact any KDC for 
requested realm" complaint.

strace was invoked like this:
#strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc

What strikes me is the invocation of the select syscall. According to 
the select specification the first parameter of the syscall is the 
number of monitored file descriptors + 1. The select calls as used here 
only monitor 2 file descriptors (better: one filedescriptor is monitored 
twice). The number of file descriptors is set to 5. I do not know how 
select behaves when invoked like that and it seems not to be specified.

The (slightly sanitized) output of strace starting from the socket 
request for connecting to the KDC:

8006  socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
8006  connect(4, {sa_family=AF_INET, sin_port=htons(464), 
sin_addr=inet_addr("[IP of KDC]")}, 16) = 0
8006  getsockname(4, {sa_family=AF_INET, sin_port=htons(35498), 
sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0
8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
8006  gettimeofday({1252498115, 459404}, NULL) = 0
8006  gettimeofday({1252498115, 459444}, NULL) = 0
8006  select(5, [4], [], [4], {0, 999960}) = 0 (Timeout)
8006  gettimeofday({1252498116, 457725}, NULL) = 0
8006  gettimeofday({1252498116, 457765}, NULL) = 0
8006  select(5, [4], [], [4], {2, 1639}) = 0 (Timeout)
8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
8006  gettimeofday({1252498118, 462172}, NULL) = 0
8006  gettimeofday({1252498118, 462214}, NULL) = 0
8006  select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
8006  gettimeofday({1252498119, 461724}, NULL) = 0
8006  gettimeofday({1252498119, 461763}, NULL) = 0
8006  select(5, [4], [], [4], {4, 409}) = 0 (Timeout)
8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
8006  gettimeofday({1252498123, 466171}, NULL) = 0
8006  gettimeofday({1252498123, 466213}, NULL) = 0
8006  select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
8006  gettimeofday({1252498124, 465728}, NULL) = 0
8006  gettimeofday({1252498124, 465767}, NULL) = 0
8006  select(5, [4], [], [4], {8, 404}) = 0 (Timeout)
8006  close(4)                          = 0
8006  write(2, "kpasswd", 7)            = 7
8006  write(2, ": ", 2)                 = 2
8006  write(2, "Cannot contact any KDC for requested realm", 42) = 42
8006  write(2, " ", 1)                  = 1
8006  write(2, "changing password", 17) = 17
8006  write(2, "\r\n", 2)               = 2
8006  exit_group(1)                     = ?

End of strace output.


I hope all this is helpful for finding the cause of the "Cannot contact 
..." error.

cheers

Jan Sanders



More information about the Kerberos mailing list