[krbdev.mit.edu #5393] krb5-1.6: tcp kpasswd service required if only admin_server is specified in krb5.conf

Jeffrey Altman via RT rt-comment at krbdev.mit.edu
Thu Jan 18 09:39:11 EST 2007


Public Submitter via RT wrote:

> Btw: If this call with static SOCK_STREAM is correct, why is call 
> three lines above 
> 
>  code = krb5int_locate_server (context, realm, addrlist,
>                                locate_service_kpasswd, sockType, 0);
> 
> with sockType correct? 

This is correct because kpasswd is a service that exists for both
UDP and TCP.   kadmind is only TCP.

Therefore, when the search occurs, you want to check krb5.conf first
and if there is no matching entry perform a DNS SRV record search for
the service type that you are looking for.   For kpasswd you want to
search for  _kpasswd._udp.REALM or _kpasswd._tcp.REALM depending on
the type of connection the caller wants to make.

There search for kadmin is there as a backup in case the kpasswd
entries were not created.  There will only ever be a _kadmin._tcp.REALM
record so we must always search for SOCK_STREAM.   That is why fixing
up the ai records after the lookup is the correct fix.

Since you have verified that ai_socktype is being set to the requested
value, I do not understand how src/krb5/lib/krb5/os/sendto_kdc.c
setup_connection() and start_connection() can be creating the wrong type
of connection.

Perhaps you can debug that further.






More information about the krb5-bugs mailing list