kpasswd over firewall ans TCP
Meike Stone
meike.stone at googlemail.com
Wed May 6 12:35:13 EDT 2015
2015-05-06 17:01 GMT+02:00 Greg Hudson <ghudson at mit.edu>:
> On 05/06/2015 10:45 AM, Meike Stone wrote:
>> I like to use kpasswd, but the kpasswd_server is behind a firewall and
>> only TCP port 464 is allowed.
>> But as i see, kpasswd only uses UDP. Setting udp_preference_limit to 0
>> (under libdefaults)
>> didn't help.
>
> The intent of the changepw.c code is to try both UDP and TCP first
> (typically beginning with a UDP query, but udp_preference_limit could
> cause a TCP query to be tried first), and then retry with only TCP if it
> gets back a KRB5KRB_ERR_RESPONSE_TOO_BIG error.
>
> As far as I know this code functions as intended. Can you describe in
> more detail what leads you to believe that it is only trying UDP? Also,
> what version are you using on the client, and what is running on the
> kpasswd server?
The Client is KfW 4.0.1 32bit. The kpasswd Server is AD W2k8, udp and
tcp (port 464) on the Server are open.
On the firewall is a proxy firewall with a rule for port TCP 464.
If I start kpasswd, I get at first a few port 88 (preauth) the I only
see a UDP package port 464, no tries for TCP:
18:31:39.696660 IP (tos 0x0, ttl 128, id 31724, offset 0, flags [+],
proto UDP (17), length 1500) 192.168.1.217.4350 > 192.168.1.20.464:
UDP, length 1550
18:31:39.696737 IP (tos 0xc0, ttl 64, id 12852, offset 0, flags
[none], proto ICMP (1), length 576) 192.168.1.20 > 192.168.1.217: ICMP
192.168.1.20 udp port 464 unreachable, length 556
(client 192.168.1.217 / proxy firewall: 92.168.1.20)
Error message is:
"kpasswd: Cannot contact any KDC for requested realm changing password"
In the Sourcecode (kfw-4.0.1-src.zip) , it looks like it is hard coded
(as above) and following lines:
" if (code) {
/*
* Here we may want to switch to TCP on some errors.
* right?
*/
break;
}
"
Thanks Meike
More information about the Kerberos
mailing list