Reproducing the problem with 1.15-1:
ubuntu@15-89:~$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1
Candidate: 1.15-1
Version table:
*** 1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
100 /var/lib/dpkg/status
After rebooting with no IPv6 support, the kerberos services are not running:
ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
ubuntu@15-89:~$
And we have the expected failure in auth.log:
ubuntu@15-89:~$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 15 13:23:40 15-89 kadmind[1195]: Failed setting up a UDP socket (for ::.464)
May 15 13:23:40 15-89 krb5kdc[1196]: Failed setting up a UDP socket (for ::.750)
May 15 13:24:34 15-89 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root
; COMMAND=/bin/grep -E (kadmind|krb5kdc).*Failed /var/log/auth.log
Now we install the fixed packages from proposed:
ubuntu@15-89:~$ apt-cache policy krb5-kdc
krb5-kdc:
Installed: 1.15-1ubuntu0.1
Candidate: 1.15-1ubuntu0.1
Version table:
*** 1.15-1ubuntu0.1 500
500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64
Packages
100 /var/lib/dpkg/status
1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
Immediately after that the services are running already:
ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
2377 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
2443 ? Ss 0:00 /usr/sbin/kadmind -nofork
We still have errors in auth.log, but they are not fatal:
May 15 13:26:49 15-89 kadmind[2443]: Address family not supported by protocol -
Cannot create TCP server socket on ::.464
May 15 13:26:49 15-89 kadmind[2443]: Failed setting up a UDP socket (for ::.464)
And we are bound to IPv4 sockets only as expected:
ubuntu@15-89:~$ sudo netstat -anp|grep -E "^(tcp|udp).*(krb5kdc|kadmind)"
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN
2377/krb5kdc
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN
2443/kadmind
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN
2443/kadmind
udp 0 0 0.0.0.0:88 0.0.0.0:*
2377/krb5kdc
udp 0 0 0.0.0.0:464 0.0.0.0:*
2443/kadmind
udp 0 0 0.0.0.0:750 0.0.0.0:*
2377/krb5kdc
** Tags removed: verification-needed
** Tags added: verification-done-zesty
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310
Title:
KDC/kadmind may fail to start on IPv4-only systems
Status in krb5 package in Ubuntu:
Fix Released
Status in krb5 source package in Zesty:
Fix Committed
Status in krb5 package in Debian:
Fix Released
Bug description:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
[Impact]
getaddrinfo() called on a wildcard address might return the IPv6 "::1"
address. On machines without IPv6 support, binding to it will most likely fail
and the kdc/kadmin services won't start.
The provided patch is applied upstream and in Debian testing.
[Test Case]
Steps to reproduce the problem on zesty:
a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
d) create a principal and obtain a ticket to confirm kerberos is working
properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for [email protected]:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/[email protected]
renew until 05/05/2017 14:20:13
e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6 0 0 :::88 :::* LISTEN
1078/krb5kdc
tcp6 0 0 :::749 :::* LISTEN
1065/kadmind
tcp6 0 0 :::464 :::* LISTEN
1065/kadmind
udp6 0 0 :::88 :::*
1078/krb5kdc
udp6 0 0 :::464 :::*
1065/kadmind
udp6 0 0 :::750 :::*
1078/krb5kdc
f) configure the system to not support IPv6. There are probably many ways to
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel
command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot
f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$
g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for
::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for
::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for
::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for
::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for
::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for
::.750)
With the updated packages, krb5-kdc and krb5-admin-server will startup
just fine in the same conditions.
[Regression Potential]
We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound
to correctly. Maybe there could be a scenario when this one bound socket is
useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT
error could be seen as a more robust approach because it's immediately visible,
instead of silently listening on the useless socket.
That being said, I believe single stack systems (only IPv4, or only
IPv6) take an extra configuration effort and most systems are dual
stack. Zesty certainly is, out of the box.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
