[krbdev.mit.edu #5393] krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf
Public Submitter via RT
rt-comment at krbdev.mit.edu
Thu Jan 18 07:15:41 EST 2007
[jaltman - Thu Jan 18 06:47:52 2007]:
> The SOCK_STREAM parameter to krb5int_locate_server does not
> determine what type of connection is used to connect the kpasswd
> service. The SOCK_STREAM parameter is specified so that the lookup
> of the DNS SRV record for the kadmin service will be performed
> using '_tcp' as the kadmin service is a TCP only service.
>
> Changing SOCK_STREAM to 'sockType' will cause the DNS SRV query to
> use '_udp' which should always fail.
>
> This parameter is not used when searching the krb5.conf file.
Well, it is used. Here is the line how it is called:
changepw.c:krb5_locate_kpasswd
=> locate_kdc.c:krb5int_locate_server(..., socktype stream, ...)
=> locate_kdc.c:prof_locate_server(..., socktype stream, ...)
=> locate_kdc.c:krb5_locate_srv_conf_1(..., socktype stream, ...)
=> locate_kdc.c:[krb5int_]add_host_to_list(..., socktype
stream, ...)
{
hint.ai_socktype = socktype;
}
I can say: When I specify only kdc and admin_server in krb5.conf (no
DNS) this code tries to open a tcp connection to kpasswd service port
464. But kadmind does not open such a port. It has only a udp port
open.
More information about the krb5-bugs
mailing list