Problem with Kerberos and OpenVPN Interfaces
timc at inf.ed.ac.uk
Wed Dec 14 10:31:18 EST 2005
We have had a problem here for a while with the Kerberos libraries and
a machine running OpenVPN, specifically the additional interfaces it
ends up having as a result. We had the problem with RH9 running 1.3.4
and after upgrade to FC3 we continue to see the problem with 1.3.6.
Essentially what happens is that with OpenVPN turned off it all works
fine but with OpenVPN turned on the pam_krb5 security module seg.
faults during login. When we originally hit the problem we did a
traceback of where the seg. fault occured and it appeared to originate
in a Kerberos function that was checking through the network interfaces
the machine was configured with. Further analysis showed that the
libaries seemed to be barfing on the added tun0 interface, which
looks something like this in an ifconfig output (inet addresses
altered to protect the innocent):
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:188.8.131.52 P-t-P:184.108.40.206 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:17316 errors:0 dropped:0 overruns:0 frame:0
TX packets:16188 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:3530208 (3.3 MiB) TX bytes:9730414 (9.2 MiB)
We were optimistic that maybe adding the "scan_interfaces=false"
option to the krb5.conf file would sort the problem so we tried
that but it appears to have had no effect.
Does anyone know what might be going on here and/or how to workaround
the problem? If the consensus is that it is some kind of interface
syntax parsing bug then we could try and produce some more useful
debugging trace output so it can be looked at?
More information about the krbdev