Macintosh OS X.2 question

Paul W. Nelson nelson at thursby.com
Mon Dec 2 16:14:00 EST 2002 

Do you get a valid tgt when kinit finishes after the 15-20 seconds?

If so please read on - The same thing is happening to me.


Your Mac is probably trying to use the krb524 service, and is sending out a
UDP datagram to port 4444 (you can verify this with tcpdump).

This should cause the KDC to reply, or return an ICMP message saying that
port 4444 is not reachable.

Kinit will pick up on the icmp message and skip the krb524 step, but
sometimes the icmp message gets filtered out by routers, especially when NAT
is used.

It would be really nice to be able to skip this step, or devise a method for
telling stuff like kinit that krb524 is not supported (in the config file).
Relying on icmp port not reachable messages is not the best especially
across the internet.

Also, I imagine a tcpdump trace will show that the krb524 request is not
retransmitted.  I can understand waiting 15-20 seconds for a response if you
keep retransmitting the UDP request, but it doesn't make sense to send only
one UDP datagram and then wait that long.  If the datagram gets lost, you
are just wasting your time waiting.

I think the retry: label in krb524/sendmsg.c is in the wrong place, and
should be moved up a few lines so it is before the send call:

Existing code:
>       if (send(socklist[host],
>              message->data, message->length, 0) != message->length)
>         continue;
>   retry:
>       waitlen.tv_usec = 0;
>       waitlen.tv_sec = timeout;
>       FD_ZERO(&readable);
>       FD_SET(socklist[host], &readable);
>       if (nready = select(SOCKET_NFDS(socklist[host]),
>               &readable,
>               0,
>               0,
>               &waitlen)) {
>       if (nready == SOCKET_ERROR) {
>           if (SOCKET_ERRNO == SOCKET_EINTR)
>           goto retry;
>           retval = SOCKET_ERRNO;
>           goto out;
>       }


-- 
Paul W. Nelson
Thursby Software Systems, Inc.

> From: Philip Rinehart <philip.rinehart at yale.edu>
> Date: Mon, 2 Dec 2002 15:26:50 -0500
> To: krbdev at mit.edu
> Subject: Macintosh OS X.2 question
> 
> Hello,
> 
> Currently we are getting Kerberos 4 tickets from our krb server.
> However, I would like to move them to krb5 tickets. Here's the problem,
> the edu.mit.Kerberos file is set up correctly and is getting krb4
> tickets speedily. However, when I try to get a ticket using krb5
> configurations, it takes on average 15/20 seconds to get the ticket.
> 
> The Kerberos extras installer has been installed as well.
> 
> -------------------------------
> Philip Rinehart
> Academic Media & Technology
> Cluster Support Services
> 203-432-6573
> philip.rinehart at yale.edu

More information about the krbdev mailing list