kpasswd changes password successfully but also complains about kdc not reachable

Tom Yu tlyu at MIT.EDU
Wed Sep 9 09:48:04 EDT 2009 

Jan Sanders <jsanders at TechFak.Uni-Bielefeld.DE> writes:

> Hello List,
>
> on my client machine I can get kerberos tickets for my principal using 
> the correct principalname-password combination. I can also use kadmin on 
> the client machine providing the correct principalname-password 
> combination for an admin principal. Changing the password for a 
> principal is no problem using kadmin.
> But then I trzy to use kpasswd on the client machine. I provide kpasswd 
> with correct the principalname-password combination and twiche state 
> what the new password should be and then I wait for a couple of seconds 
> before kpasswd returns.
> On returning it complains: Cannot contact any KDC for requested realm
> But it also changed the password. After invoking kpasswd and observing 
> the above stated behaviour I have to provide the new password to obtain 
> a ticket.
> Even though kpasswd works as advertised (changes the password) it will 
> cause some trouble telling users that the error message can safely be 
> ignored (if it can!!).
>
> Using strace I could see some timeouts of select syscalls.
> kpasswd obtained a file descriptor for an IP connection, connects to the 
> KDC and successfully sends 490 byte of data.
> Then kpasswd uses the select syscall to monitor the filedescriptor which 
> times out twice.
> kpasswd resends the 490 bytes and again waits for two select syscalls to 
> time out.
> Then again and finally returns with the "Cannot contact any KDC for 
> requested realm" complaint.
>
> strace was invoked like this:
> #strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc
>
> What strikes me is the invocation of the select syscall. According to 
> the select specification the first parameter of the syscall is the 
> number of monitored file descriptors + 1. The select calls as used here 
> only monitor 2 file descriptors (better: one filedescriptor is monitored 
> twice). The number of file descriptors is set to 5. I do not know how 
> select behaves when invoked like that and it seems not to be specified.

I believe the call to select() is correct.  The first parameter should
be an integer that is one greater than the number of the
highest-numbered file descriptor, i.e., the highest-numbered file
descriptor that select() should look at here is file descriptor #4,
which means that select(5, ....) is correct.

What is probably happening is that the UDP reply packet from the KDC's
kpasswd service is not reaching you, which is could be caused by a
firewall or other factors related to network topology.  Can you get a
packet trace on UDP port 464, both on the client's network and on the
KDC's network?

> The (slightly sanitized) output of strace starting from the socket 
> request for connecting to the KDC:
>
> 8006  socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
> 8006  connect(4, {sa_family=AF_INET, sin_port=htons(464), 
> sin_addr=inet_addr("[IP of KDC]")}, 16) = 0
> 8006  getsockname(4, {sa_family=AF_INET, sin_port=htons(35498), 
> sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0
> 8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
> 8006  gettimeofday({1252498115, 459404}, NULL) = 0
> 8006  gettimeofday({1252498115, 459444}, NULL) = 0
> 8006  select(5, [4], [], [4], {0, 999960}) = 0 (Timeout)
> 8006  gettimeofday({1252498116, 457725}, NULL) = 0
> 8006  gettimeofday({1252498116, 457765}, NULL) = 0
> 8006  select(5, [4], [], [4], {2, 1639}) = 0 (Timeout)
> 8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
> 8006  gettimeofday({1252498118, 462172}, NULL) = 0
> 8006  gettimeofday({1252498118, 462214}, NULL) = 0
> 8006  select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
> 8006  gettimeofday({1252498119, 461724}, NULL) = 0
> 8006  gettimeofday({1252498119, 461763}, NULL) = 0
> 8006  select(5, [4], [], [4], {4, 409}) = 0 (Timeout)
> 8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
> 8006  gettimeofday({1252498123, 466171}, NULL) = 0
> 8006  gettimeofday({1252498123, 466213}, NULL) = 0
> 8006  select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
> 8006  gettimeofday({1252498124, 465728}, NULL) = 0
> 8006  gettimeofday({1252498124, 465767}, NULL) = 0
> 8006  select(5, [4], [], [4], {8, 404}) = 0 (Timeout)
> 8006  close(4)                          = 0
> 8006  write(2, "kpasswd", 7)            = 7
> 8006  write(2, ": ", 2)                 = 2
> 8006  write(2, "Cannot contact any KDC for requested realm", 42) = 42
> 8006  write(2, " ", 1)                  = 1
> 8006  write(2, "changing password", 17) = 17
> 8006  write(2, "\r\n", 2)               = 2
> 8006  exit_group(1)                     = ?
>
> End of strace output.
>
>
> I hope all this is helpful for finding the cause of the "Cannot contact 
> ..." error.
>
> cheers
>
> Jan Sanders
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list