[krbdev.mit.edu #3237] Kerberos does not work inside Linux vservers

Christophe Nowicki via RT rt-comment at krbdev.mit.edu
Wed Nov 16 17:07:00 EST 2005 

On Tue, Nov 15, 2005 at 09:08:20PM -0500, Ken Raeburn via RT wrote:
> > I'am trying to make kerberos working inside a Linux Vserver
> > (http://linux-vserver.org/). Am using debian's version 1.3.6-5 of
> > kerberos.
> 
> I have no idea how the vserver code alters the environment that would
> affect the Kerberos code's ability to see the local addresses it's
> allowed to use.  Would you mind fetching and building 1.4.2 (or the
> 1.4.3 beta) from our web site (web.mit.edu/kerberos) and seeing if it
> has the same problem?  
I've build version 1.4.2.
> Once you've built and installed it, you can also
> go into src/lib/krb5/os in your build tree and run "make t_localaddr"
> and "./t_localaddr"; 
Here is the output :
kdc:~/krb5-1.4.2/src/lib/krb5/os# ./t_localaddr 
  --> family 17 <getnameinfo error -6: ai_family not supported>
  --> family  2 addr 192.168.42.1
  --> family  2 addr 192.168.42.21
  --> family  2 addr 192.168.42.15
  --> family  2 addr 192.168.42.62
  --> family  2 addr 192.168.42.27
  --> family  2 addr 192.168.42.18
  --> family  2 addr 192.168.42.13
  --> family  2 addr 192.168.42.22
  --> family  2 addr 192.168.42.17
  --> family  2 addr 192.168.42.14
  --> family  2 addr 192.168.42.6
return value = 0

The first interfaces (--> family 17 <getnameinfo error -6: ai_family not supported>)
Seams to be the loopback interface.

> that'll print some debug information while trying
> to look up the addresses on the network interfaces.  (Depending on the
> version of Linux, glibc, etc., it either uses a C library call that's
> supposed to get them, or uses a bunch of fairly standard ioctl calls
> that usually do the right thing, but maybe that bit needs tweaking for
> vserver support.)
> 
> 
> > I suggest to allow users to bind krb5kdc server on a specific
> > interface with the addresses  directive in the kdcdefaults section of
> > the kdc.conf file, like that:
> 
> That might be a good idea, but we still need to solve the problem above.
If you need more help/informations, just ask.

Best Regards,
> 

-- 
Nowicki Christophe                                  
EPITECH Promo 2006                                 
http://people.easter-eggs.org/~cnowicki/

More information about the krb5-bugs mailing list