[krbdev.mit.edu #3237] Kerberos does not work inside Linux vservers

Christophe Nowicki via RT rt-comment at krbdev.mit.edu
Sat Jun 24 18:16:47 EDT 2006 

Hi Ken,

> I'm sorry about the delay in getting back to you -- I accidentally sent
> my reply to the email address for filing the response with the bug
> report but *not* sending a copy back to the original reporter of the
> problem, and didn't notice for quite some time....
No problem.

>> > Here is the output :
>>
>> Thanks!  That output looks good.  Well, maybe... did you run it in
>> the same vserver environment that the KDC would run in?
Yes,
>> I'm guessing
>> that, in that case, we would only want to return one address.  It
>> sort of depends -- does the vserver environment hide the other
>> addresses, or just not permit you access to them?
The vserver does not hide the other interfaces :
#/sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:11:95:25:DB:0C
          inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48066286 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51623403 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:196681514 (187.5 MiB)  TX bytes:471795406 (449.9 MiB)
          Interrupt:177 Base address:0xc00

eth0:cact Link encap:Ethernet  HWaddr 00:11:95:25:DB:0C
          inet addr:192.168.42.21  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:177 Base address:0xc00

eth0:cfg  Link encap:Ethernet  HWaddr 00:11:95:25:DB:0C
          inet addr:192.168.42.15  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:177 Base address:0xc00

eth0:dist Link encap:Ethernet  HWaddr 00:11:95:25:DB:0C
          inet addr:192.168.42.62  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:177 Base address:0xc00
...
But you can't bind on other interfaces,
If you process is running in vserver 'a' you can see interface of vserver
'b' but you can bind on b:88 (you can only bind on a:88).

The strange thin about kdc, is that he try to bind only on the first
interface and fail to setup network :

Jun 25 00:13:20 kdc krb5kdc[4311]: Cannot assign requested address -
Cannot bind server socket to port 88 address 192.168.42.1
Jun 25 00:13:20 kdc krb5kdc[4311]: set up 0 sockets
Jun 25 00:13:20 kdc krb5kdc[4311]: no sockets set up?


>>
>> If you run the 1.4.2 KDC in the vserver environment, does it bind to
>> the correct addresses?
I've upgraded to KDC version 1.4.3.

Best Regards,

More information about the krb5-bugs mailing list