bug report: "too many SRV records" becomes "no SRV records"

Thu Jun 10 18:02:15 EDT 2010

On Thu, Jun 10, 2010 at 04:49:23PM -0400, Richard Silverman wrote:
> On Thu, 10 Jun 2010, Tom Yu wrote:
> 
> > "Richard E. Silverman" <res at qoxp.net> writes:
> >
> >> In 1.8.1, there is the following code in src/lib/krb5/os/dnsglue.c:
> >>
> >>    krb5int_dns_init(struct krb5int_dns_state **dsp,
> >>                     char *host, int nclass, int ntype)
> >>    {
> >>    ...
> >>      nextincr = 2048;
> >>      maxincr = INT_MAX;
> >>    ...
> >>
> >> One day, due to an error, the number of KDC SRV records for one of our
> >> realms doubled from 27 to 54... and KDC lookups via DNS prompty broke.  I
> >> bumped up the nextincr value above, and it started working again.
> >> Probably not the right fix, but just letting you know that there's a bug
> >> here.
> >
> > What platform/OS is this on?  A "too-large" response should result in
> > res_nsearch() returning the actual size.  If it's returning -1
> > instead, I can see it causing trouble.  Are you willing to run stuff
> > under a debugger to see what res_nsearch() actually returns there?
> 
> Sure; I'll do that as soon as I get a chance.  Thanks.

Since your using Solaris, look at using truss to see return codes of
user space functions and syscalls.  I've included a script which I call
truss_krb (which you may want to edit) to make this easier.  For
debugging MIT binaries I do something like:

truss_krb -mit -o /tmp/krb-truss.out /usr/local/bin/kinit

For Solaris krb stuff I do:

truss_krb -o /tmp/krb-truss.out /usr/bin/kinit

etc...

-- 
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/

#!/bin/ksh -p

# Default: Solaris libs
libs='libdb2,db2,libkadm5clnt,libkadm5srv,libkdb5,libkdb,libgss,mech_krb5'
libs=$libs',libnsl'

# LDAP plugin
libs=$libs',libldap,kldap,libkdb_ldap'
# NSS/SSL/SASL for ldap binds
libs=$libs',libnspr4,libnss3,libsoftokn3,libsasl,libsecdb'

# PKINIT
libs=$libs',pkinit'

# crypto, note libcrypto is openssl
libs=$libs',libpkcs11,pkcs11_kernel,libcryptoutil,libcrypto'

# main binary
libs=$libs',a.out'

me=${0##*/}

if [[ $# -lt 2 || $1 == -[h?] ]]
then
	cat >&2 <<-EOF
Usage: $me [-mit] [truss flags] <command or -p PID>

	-mit: does a truss on MIT krb libs

By default does:
	truss -fea -t 'access,stat,open' -u ${libs}:: "\$@"
for Solaris gss/krb/pkcs11 libs.
	EOF
	exit 1
fi

if [[ "$1" == '-mit' ]]
then
	# MIT libs
	libs='libdb2,db2,libkadm5clnt,libkadm5srv,libkdb5,libgssrpc,libgssapi_krb5'
	libs=$libs',libkrb5,libk5crypto,libkrb5support,a.out'
	#libs=$libs',kldap,libkdb_ldap,libldap,libnsl,libsasl'
	#libs="$libs,kldap,libkdb_ldap,libldap,libnsl,libsasl"
	#libs="$libs,a.out"
	#libs="libldap,libkdb5,kldap,libkdb_ldap,a.out"
	#libs="libkdb5,kldap,libkdb_ldap,a.out"
	shift
fi

exec /usr/bin/truss -fea -t 'access,stat,open' -u ${libs}:: "$@"