Ubuntu
krb5 package

  1. Bug #1683237
  2. Activity log

Activity log for bug #1683237

Date Who What changed Old value New value Message
2017-04-17 06:15:23 Jochen Hein bug added bug
2017-04-17 16:33:10 Sam Hartman bug watch added http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
2017-04-17 16:33:10 Sam Hartman bug task added krb5 (Debian)
2017-04-18 00:38:05 Bug Watch Updater krb5 (Debian): status Unknown New
2017-04-19 16:00:27 Joshua Powers bug added subscriber Ubuntu Server Team
2017-04-19 16:00:30 Joshua Powers krb5 (Ubuntu): status New Triaged
2017-04-19 16:00:34 Joshua Powers krb5 (Ubuntu): importance Undecided High
2017-04-19 16:00:44 Joshua Powers tags server-next
2017-04-19 16:06:27 Joshua Powers bug added subscriber Joshua Powers
2017-04-21 15:36:34 Jochen Hein bug watch added http://krbdev.mit.edu/rt/Ticket/Display.html?id=8580
2017-04-21 15:39:25 Joshua Powers nominated for series Ubuntu Zesty
2017-04-23 02:49:07 Bug Watch Updater krb5 (Debian): status New Fix Released
2017-04-24 12:52:18 Robie Basak bug task added krb5 (Ubuntu Zesty)
2017-04-24 12:52:23 Robie Basak krb5 (Ubuntu Zesty): status New Triaged
2017-04-25 11:58:32 Robie Basak krb5 (Ubuntu): status Triaged Fix Committed
2017-04-26 12:26:29 Robie Basak krb5 (Ubuntu): status Fix Committed Fix Released
2017-05-02 13:45:47 Joshua Powers tags server-next
2017-05-03 14:29:16 Andreas Hasenack krb5 (Ubuntu Zesty): assignee Andreas Hasenack (ahasenack)
2017-05-03 14:29:19 Andreas Hasenack krb5 (Ubuntu Zesty): status Triaged In Progress
2017-05-03 20:47:55 Andreas Hasenack bug watch added http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554
2017-05-03 20:47:55 Andreas Hasenack bug watch added http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
2017-05-03 20:47:55 Andreas Hasenack bug watch added http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
2017-05-03 20:47:55 Andreas Hasenack bug watch added http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
2017-05-03 21:47:54 Joshua Powers removed subscriber Joshua Powers
2017-05-04 13:56:56 Gianfranco Costamagna bug added subscriber LocutusOfBorg
2017-05-05 13:16:55 Andreas Hasenack description Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch TL;DR kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show udp and tcp entries. Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" { type master; file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Give that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen
2017-05-05 13:17:29 Andreas Hasenack description This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch TL;DR kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show udp and tcp entries. Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" { type master; file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Give that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch TL;DR kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show udp and tcp entries. Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" {     type master;     file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. (                   1 ; Serial              604800 ; Refresh               86400 ; Retry             2419200 ; Expire              604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen
2017-05-05 13:23:29 Andreas Hasenack description This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch TL;DR kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show udp and tcp entries. Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" {     type master;     file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. (                   1 ; Serial              604800 ; Refresh               86400 ; Retry             2419200 ; Expire              604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch TL;DR kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show both udp and tcp entries. Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" {     type master;     file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. (                   1 ; Serial              604800 ; Refresh               86400 ; Retry             2419200 ; Expire              604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen
2017-05-05 17:06:04 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ahasenack/ubuntu/+source/krb5/+git/krb5/+merge/323686
2017-05-05 17:14:34 Andreas Hasenack description This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch TL;DR kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show both udp and tcp entries. Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" {     type master;     file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. (                   1 ; Serial              604800 ; Refresh               86400 ; Retry             2419200 ; Expire              604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch [Impact] kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show both udp and tcp entries. [Test Case] Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" {     type master;     file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. (                   1 ; Serial              604800 ; Refresh               86400 ; Retry             2419200 ; Expire              604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen
2017-05-05 17:27:29 Andreas Hasenack description This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch [Impact] kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show both udp and tcp entries. [Test Case] Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" {     type master;     file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. (                   1 ; Serial              604800 ; Refresh               86400 ; Retry             2419200 ; Expire              604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, the story is different: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen This is fixed in krb5 1.15-2 in artful Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 Debian patch in 1.15-2 in artful: 0013-Fix-udp_preference_limit-with-SRV-records.patch [Impact] kinit does not respect udp_preference_limit and always uses TCP to talk to the KDC when using the DNS SRV records to locate the service and these records show both udp and tcp entries. One particular scenario that fails is when OTP (one time password) is used, as reported. The provided patch is applied upstream and debian testing. [Test Case] Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD): a) install the packages from zesty (not the proposed ones yet): $ sudo apt install krb5-kdc krb5-admin-server bind9 When prompted for the realm, choose EXAMPLE.COM When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1) The KDC will fail to start because there is no realm yet, that's not relevant for this bug. b) Edit /etc/krb5.conf and make the following changes: - remove the "default_realm" line from the [libdefaults] section - remove the EXAMPLE.COM realm block from the [realms] section - add "dns_lookup_realm = true" to the [libdefaults] section - add "dns_lookup_kdc = true" to the [libdefaults] section - add "udp_preference_limit = 1" to the [libdefaults] section c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity, we are skipping the reverse zone): zone "example.com" {     type master;     file "/etc/bind/db.example.com"; }; d) Create /etc/bind/db.example.com with this content: $TTL 604800 @ IN SOA example.com. ubuntu.example.com. (                   1 ; Serial              604800 ; Refresh               86400 ; Retry             2419200 ; Expire              604800 ) ; Negative Cache TTL ; @ IN NS zesty-bug1683237.example.com. zesty-bug1683237 IN A 10.0.100.249 _kerberos TXT "EXAMPLE.COM" _kerberos._udp SRV 0 0 88 zesty-bug1683237 _kerberos._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-master._udp SRV 0 0 88 zesty-bug1683237 _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237 _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237 _kpasswd._udp SRV 0 0 464 zesty-bug1683237 Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237". e) Restart bind $ sudo service bind9 restart f) Do a few quick DNS tests: $ dig +short @10.0.100.249 zesty-bug1683237.example.com 10.0.100.249 $ dig +short @10.0.100.249 -t TXT _kerberos.example.com "EXAMPLE.COM" $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com 0 0 88 zesty-bug1683237.example.com. $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com 0 0 88 zesty-bug1683237.example.com. g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces: nameserver 10.0.100.249 # USE YOUR IP HERE search example.com h) Create the EXAMPLE.COM kerberos realm: $ sudo krb5_newrealm When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps. i) Start the kerberos services: $ sudo service krb5-kdc start sudo service krb5-admin-server start j) Create a principal and test it: $ sudo kadmin.local addprinc -pw ubuntu ubuntu $ kinit ubuntu Password for ubuntu@EXAMPLE.COM: $ klist (...) 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM (...) Now we are ready to test the bug. Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit should use TCP instead of UDP. Let's check: $ KRB5_TRACE=/dev/stderr kinit [7609] 1493989890.568980: Getting initial credentials for ubuntu@EXAMPLE.COM [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com. [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88 (...) Uh oh, it's using UDP! With the fixed packages, kinit will use TCP, thus honoring the udp_preference_limit setting: $ KRB5_TRACE=/dev/stderr kinit [14287] 1493990160.760430: Getting initial credentials for ubuntu@EXAMPLE.COM [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com. [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88 [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88 (...) And if udp_preference_limit is removed from /etc/krb5.conf, the updated packages start with UDP again. [Regression Potential] Sites who were inadvertently relying on this bug (by having udp_preference_limit set to a low value but being ignored) will see their clients suddenly switch (correctly) from UDP to TCP when talking to the KDC and could require firewall changes to allow that exchange. == Original description == Zesty is now affected, please see the debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 and upstream bug http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-updates? Thanks Jochen
2017-05-05 18:14:25 Andreas Hasenack bug added subscriber Ubuntu Sponsors Team
2017-05-07 20:57:32 Mathew Hodson krb5 (Ubuntu Zesty): importance Undecided High
2017-05-11 21:19:53 Adam Conrad krb5 (Ubuntu Zesty): status In Progress Fix Committed
2017-05-11 21:19:55 Adam Conrad bug added subscriber Ubuntu Stable Release Updates Team
2017-05-11 21:19:59 Adam Conrad bug added subscriber SRU Verification
2017-05-11 21:20:06 Adam Conrad tags verification-needed
2017-05-11 21:20:26 Adam Conrad removed subscriber Ubuntu Sponsors Team
2017-05-12 21:00:01 Jochen Hein tags verification-needed verification-done
2017-05-22 15:19:42 Launchpad Janitor krb5 (Ubuntu Zesty): status Fix Committed Fix Released
2017-05-22 15:19:56 Łukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team