Macintosh OS X.2 question

Steven Michaud smichaud at pobox.com
Tue Dec 3 13:52:01 EST 2002 

> Your Mac is probably trying to use the krb524 service, and is
> sending out a UDP datagram to port 4444 (you can verify this with
> tcpdump).
>
> This should cause the KDC to reply, or return an ICMP message saying
> that port 4444 is not reachable.

The delay can also happen if your KDC is running a firewall (or is
behind a firewall) that drops traffic to port 4444 without making any
response to the sender (i.e. without sending an ICMP port unreachable
message).

If the KDC is using ipfilter, its admins would want to replace a
filter rule that looks something like this:

block in on elx0 proto udp from any to any port = 4444

with one that looks something like this:

block return-icmp(port-unr) in on elx0 proto udp from any to any port = 4444

On Mon, 2 Dec 2002, Paul W. Nelson wrote:

> Do you get a valid tgt when kinit finishes after the 15-20 seconds?
>
> If so please read on - The same thing is happening to me.
>
>
> Your Mac is probably trying to use the krb524 service, and is sending out a
> UDP datagram to port 4444 (you can verify this with tcpdump).
>
> This should cause the KDC to reply, or return an ICMP message saying that
> port 4444 is not reachable.
>
> Kinit will pick up on the icmp message and skip the krb524 step, but
> sometimes the icmp message gets filtered out by routers, especially when NAT
> is used.
>
> It would be really nice to be able to skip this step, or devise a method for
> telling stuff like kinit that krb524 is not supported (in the config file).
> Relying on icmp port not reachable messages is not the best especially
> across the internet.
>
> Also, I imagine a tcpdump trace will show that the krb524 request is not
> retransmitted.  I can understand waiting 15-20 seconds for a response if you
> keep retransmitting the UDP request, but it doesn't make sense to send only
> one UDP datagram and then wait that long.  If the datagram gets lost, you
> are just wasting your time waiting.
>
> I think the retry: label in krb524/sendmsg.c is in the wrong place, and
> should be moved up a few lines so it is before the send call:
>
> Existing code:
> >       if (send(socklist[host],
> >              message->data, message->length, 0) != message->length)
> >         continue;
> >   retry:
> >       waitlen.tv_usec = 0;
> >       waitlen.tv_sec = timeout;
> >       FD_ZERO(&readable);
> >       FD_SET(socklist[host], &readable);
> >       if (nready = select(SOCKET_NFDS(socklist[host]),
> >               &readable,
> >               0,
> >               0,
> >               &waitlen)) {
> >       if (nready == SOCKET_ERROR) {
> >           if (SOCKET_ERRNO == SOCKET_EINTR)
> >           goto retry;
> >           retval = SOCKET_ERRNO;
> >           goto out;
> >       }
>
>
> --
> Paul W. Nelson
> Thursby Software Systems, Inc.
>
> > From: Philip Rinehart <philip.rinehart at yale.edu>
> > Date: Mon, 2 Dec 2002 15:26:50 -0500
> > To: krbdev at mit.edu
> > Subject: Macintosh OS X.2 question
> >
> > Hello,
> >
> > Currently we are getting Kerberos 4 tickets from our krb server.
> > However, I would like to move them to krb5 tickets. Here's the problem,
> > the edu.mit.Kerberos file is set up correctly and is getting krb4
> > tickets speedily. However, when I try to get a ticket using krb5
> > configurations, it takes on average 15/20 seconds to get the ticket.
> >
> > The Kerberos extras installer has been installed as well.
> >
> > -------------------------------
> > Philip Rinehart
> > Academic Media & Technology
> > Cluster Support Services
> > 203-432-6573
> > philip.rinehart at yale.edu
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
>
>

More information about the krbdev mailing list