Ubuntu
krb5 package

KDC/kadmind may fail to start on IPv4-only systems

Bug #1688310 reported by Andreas Hasenack
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Debian)
Fix Released
Unknown
krb5 (Ubuntu)
Fix Released
High
Unassigned
Zesty
Fix Released
High
Andreas Hasenack

Bug Description

This is fixed in artful in krb5 1.15-2

- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

[Impact]
getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start.

The provided patch is applied upstream and in Debian testing.

[Test Case]

Steps to reproduce the problem on zesty:

a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers

b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted

c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
 4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
 4306 ? Ss 0:00 /usr/sbin/kadmind -nofork

d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for <email address hidden>:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: <email address hidden>

Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 <email address hidden>
 renew until 05/05/2017 14:20:13

e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
udp6 0 0 :::88 :::* 1078/krb5kdc
udp6 0 0 :::464 :::* 1065/kadmind
udp6 0 0 :::750 :::* 1078/krb5kdc

f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot

f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$

g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750)

With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions.

[Regression Potential]
We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket.

That being said, I believe single stack systems (only IPv4, or only IPv6) take an extra configuration effort and most systems are dual stack. Zesty certainly is, out of the box.

See original description
Andreas Hasenack (ahasenack)
Changed in krb5 (Ubuntu):
assignee: Andreas Hasenack (ahasenack) → nobody
status: In Progress → Fix Released
Changed in krb5 (Ubuntu Zesty):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Bug Watch Updater (bug-watch-updater)
Changed in krb5 (Debian):
status: Unknown → Fix Released
Andreas Hasenack (ahasenack)
description: updated
description: updated
Mathew Hodson (mhodson)
Changed in krb5 (Ubuntu):
importance: Undecided → High
Changed in krb5 (Ubuntu Zesty):
importance: Undecided → High
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Andreas, or anyone else affected,

Accepted krb5 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/krb5/1.15-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in krb5 (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Andreas can you please test it?
thanks

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Reproducing the problem with 1.15-1:
ubuntu@15-89:~$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1
  Candidate: 1.15-1
  Version table:
 *** 1.15-1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
        100 /var/lib/dpkg/status

After rebooting with no IPv6 support, the kerberos services are not running:
ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
ubuntu@15-89:~$

And we have the expected failure in auth.log:
ubuntu@15-89:~$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 15 13:23:40 15-89 kadmind[1195]: Failed setting up a UDP socket (for ::.464)
May 15 13:23:40 15-89 krb5kdc[1196]: Failed setting up a UDP socket (for ::.750)
May 15 13:24:34 15-89 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/grep -E (kadmind|krb5kdc).*Failed /var/log/auth.log

Now we install the fixed packages from proposed:
ubuntu@15-89:~$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1ubuntu0.1
  Candidate: 1.15-1ubuntu0.1
  Version table:
 *** 1.15-1ubuntu0.1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     1.15-1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages

Immediately after that the services are running already:
ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
 2377 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
 2443 ? Ss 0:00 /usr/sbin/kadmind -nofork

We still have errors in auth.log, but they are not fatal:
May 15 13:26:49 15-89 kadmind[2443]: Address family not supported by protocol - Cannot create TCP server socket on ::.464
May 15 13:26:49 15-89 kadmind[2443]: Failed setting up a UDP socket (for ::.464)

And we are bound to IPv4 sockets only as expected:
ubuntu@15-89:~$ sudo netstat -anp|grep -E "^(tcp|udp).*(krb5kdc|kadmind)"
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2377/krb5kdc
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 2443/kadmind
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2443/kadmind
udp 0 0 0.0.0.0:88 0.0.0.0:* 2377/krb5kdc
udp 0 0 0.0.0.0:464 0.0.0.0:* 2443/kadmind
udp 0 0 0.0.0.0:750 0.0.0.0:* 2377/krb5kdc

tags: added: verification-done-zesty
removed: verification-needed
Gianfranco Costamagna (costamagnagianfranco)
tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.15-1ubuntu0.1

---------------
krb5 (1.15-1ubuntu0.1) zesty; urgency=medium

  * Pulled in Debian fixes from Sam Hartman for:
    - kinit fails for OTP user when using kdc discovery via DNS
      (LP: #1683237)
    - KDC/kadmind explicit wildcard listener addresses do not use pktinfo
      (LP: #1688121)
    - KDC/kadmind may fail to start on IPv4-only systems (LP: #1688310)

 -- Andreas Hasenack <email address hidden> Fri, 05 May 2017 14:05:38 +0000

Changed in krb5 (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for krb5 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.