[krbdev.mit.edu #6513] krb-1.7 kadmind not logging IP address of requests

[Ken Raeburn via RT]

On Jun 16, 2009, at 18:08, Ed Ravin via RT wrote:
> Looked a little deeper - it's this code in src/kadmin/server/schpw.c
> that is kicking in:
>
>    if (getnameinfo(ss2sa(&ss), salen,
>            addrbuf, sizeof(addrbuf), NULL, 0,
>            NI_NUMERICHOST | NI_NUMERICSERV) != 0)
>    strlcpy(addrbuf, "<unprintable>", sizeof(addrbuf));
>
> And the return code from getnameinfo was 4 (name resolution failure).

Since NI_NUMERICHOST means to return the numeric form of the host  
address and not look up a name, and NI_NUMERICSERV means to do  
likewise for the service/port, this sounds like a bug.  Though, when  
no buffer for the service name is supplied, it is kind of odd to be  
passing the NI_NUMERICSERV flag.  However, "name resolution failure"  
is kind of a strange way to complain about it.  I just tried this  
little test program on my netbsd 5.0 system and it seems to work fine,  
printing out the address as "10.10.10.10":

#include <netdb.h>
#include <stdio.h>
#include <netinet/in.h>
struct sockaddr_in s = {
   .sin_len = sizeof(s), .sin_family = AF_INET,
   .sin_addr = { .s_addr = 0x0a0a0a0a }, .sin_port = 47,
};
char addrbuf[NI_MAXHOST];
int main () {
   int r = getnameinfo((struct sockaddr*)&s, sizeof s, addrbuf,  
sizeof(addrbuf),
		      NULL, 0, NI_NUMERICHOST | NI_NUMERICSERV);
   printf("retval=%d/%s addrbuf=%s\n", r, gai_strerror(r), addrbuf);
}

Perhaps something else is amiss, like salen or ss.ss_len being  
incorrect and getnameinfo being picky?  Or it's unhappy about some  
other field in a sockaddr_in6 structure?

> I'm confused by this code, which appears in several spots in krb5 - it
> seems to disable logging of source IP addresses of requests if there's
> a local resolution error?  Why not just show the IP address and  
> leave it
> at that?

We are, in fact, trying to do that.

-- 
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium