kpasswd changes password successfully but also complains about kdc not reachable

Carlos André candrecn at gmail.com
Thu Sep 10 08:16:40 EDT 2009 

Jan Sanders,

Probably u have a firewall problem like Tom said :)
Trace UDP/464 return from server to client... non-stateful firewalls,
ACL on switches, etc...

On Wed, Sep 9, 2009 at 10:48 AM, Tom Yu <tlyu at mit.edu> wrote:
> Jan Sanders <jsanders at TechFak.Uni-Bielefeld.DE> writes:
>
>> Hello List,
>>
>> on my client machine I can get kerberos tickets for my principal using
>> the correct principalname-password combination. I can also use kadmin on
>> the client machine providing the correct principalname-password
>> combination for an admin principal. Changing the password for a
>> principal is no problem using kadmin.
>> But then I trzy to use kpasswd on the client machine. I provide kpasswd
>> with correct the principalname-password combination and twiche state
>> what the new password should be and then I wait for a couple of seconds
>> before kpasswd returns.
>> On returning it complains: Cannot contact any KDC for requested realm
>> But it also changed the password. After invoking kpasswd and observing
>> the above stated behaviour I have to provide the new password to obtain
>> a ticket.
>> Even though kpasswd works as advertised (changes the password) it will
>> cause some trouble telling users that the error message can safely be
>> ignored (if it can!!).
>>
>> Using strace I could see some timeouts of select syscalls.
>> kpasswd obtained a file descriptor for an IP connection, connects to the
>> KDC and successfully sends 490 byte of data.
>> Then kpasswd uses the select syscall to monitor the filedescriptor which
>> times out twice.
>> kpasswd resends the 490 bytes and again waits for two select syscalls to
>> time out.
>> Then again and finally returns with the "Cannot contact any KDC for
>> requested realm" complaint.
>>
>> strace was invoked like this:
>> #strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc
>>
>> What strikes me is the invocation of the select syscall. According to
>> the select specification the first parameter of the syscall is the
>> number of monitored file descriptors + 1. The select calls as used here
>> only monitor 2 file descriptors (better: one filedescriptor is monitored
>> twice). The number of file descriptors is set to 5. I do not know how
>> select behaves when invoked like that and it seems not to be specified.
>
> I believe the call to select() is correct.  The first parameter should
> be an integer that is one greater than the number of the
> highest-numbered file descriptor, i.e., the highest-numbered file
> descriptor that select() should look at here is file descriptor #4,
> which means that select(5, ....) is correct.
>
> What is probably happening is that the UDP reply packet from the KDC's
> kpasswd service is not reaching you, which is could be caused by a
> firewall or other factors related to network topology.  Can you get a
> packet trace on UDP port 464, both on the client's network and on the
> KDC's network?
>
>> The (slightly sanitized) output of strace starting from the socket
>> request for connecting to the KDC:
>>
>> 8006  socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
>> 8006  connect(4, {sa_family=AF_INET, sin_port=htons(464),
>> sin_addr=inet_addr("[IP of KDC]")}, 16) = 0
>> 8006  getsockname(4, {sa_family=AF_INET, sin_port=htons(35498),
>> sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0
>> 8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
>> 8006  gettimeofday({1252498115, 459404}, NULL) = 0
>> 8006  gettimeofday({1252498115, 459444}, NULL) = 0
>> 8006  select(5, [4], [], [4], {0, 999960}) = 0 (Timeout)
>> 8006  gettimeofday({1252498116, 457725}, NULL) = 0
>> 8006  gettimeofday({1252498116, 457765}, NULL) = 0
>> 8006  select(5, [4], [], [4], {2, 1639}) = 0 (Timeout)
>> 8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
>> 8006  gettimeofday({1252498118, 462172}, NULL) = 0
>> 8006  gettimeofday({1252498118, 462214}, NULL) = 0
>> 8006  select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
>> 8006  gettimeofday({1252498119, 461724}, NULL) = 0
>> 8006  gettimeofday({1252498119, 461763}, NULL) = 0
>> 8006  select(5, [4], [], [4], {4, 409}) = 0 (Timeout)
>> 8006  send(4, "[snipped 490 bytes]"..., 490, 0) = 490
>> 8006  gettimeofday({1252498123, 466171}, NULL) = 0
>> 8006  gettimeofday({1252498123, 466213}, NULL) = 0
>> 8006  select(5, [4], [], [4], {0, 999958}) = 0 (Timeout)
>> 8006  gettimeofday({1252498124, 465728}, NULL) = 0
>> 8006  gettimeofday({1252498124, 465767}, NULL) = 0
>> 8006  select(5, [4], [], [4], {8, 404}) = 0 (Timeout)
>> 8006  close(4)                          = 0
>> 8006  write(2, "kpasswd", 7)            = 7
>> 8006  write(2, ": ", 2)                 = 2
>> 8006  write(2, "Cannot contact any KDC for requested realm", 42) = 42
>> 8006  write(2, " ", 1)                  = 1
>> 8006  write(2, "changing password", 17) = 17
>> 8006  write(2, "\r\n", 2)               = 2
>> 8006  exit_group(1)                     = ?
>>
>> End of strace output.
>>
>>
>> I hope all this is helpful for finding the cause of the "Cannot contact
>> ..." error.
>>
>> cheers
>>
>> Jan Sanders
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list