2017-05-04 14:29:49 |
Andreas Hasenack |
bug |
|
|
added bug |
2017-05-04 14:32:33 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Zesty |
|
2017-05-04 14:40:32 |
Gianfranco Costamagna |
bug task added |
|
krb5 (Ubuntu Zesty) |
|
2017-05-04 14:50:10 |
Andreas Hasenack |
krb5 (Ubuntu): assignee |
Andreas Hasenack (ahasenack) |
|
|
2017-05-04 14:50:13 |
Andreas Hasenack |
krb5 (Ubuntu): status |
In Progress |
Fix Released |
|
2017-05-04 14:50:17 |
Andreas Hasenack |
krb5 (Ubuntu Zesty): status |
New |
In Progress |
|
2017-05-04 14:50:19 |
Andreas Hasenack |
krb5 (Ubuntu Zesty): assignee |
|
Andreas Hasenack (ahasenack) |
|
2017-05-04 17:13:24 |
Andreas Hasenack |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 |
|
2017-05-04 17:13:24 |
Andreas Hasenack |
bug task added |
|
krb5 (Debian) |
|
2017-05-04 22:16:22 |
Bug Watch Updater |
krb5 (Debian): status |
Unknown |
Fix Released |
|
2017-05-05 17:06:04 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/krb5/+git/krb5/+merge/323686 |
|
2017-05-05 18:11:04 |
Andreas Hasenack |
description |
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start.
Steps to reproduce the problem on zesty:
a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for ubuntu@EXAMPLE.ORG:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@EXAMPLE.ORG
Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
renew until 05/05/2017 14:20:13
e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
udp6 0 0 :::88 :::* 1078/krb5kdc
udp6 0 0 :::464 :::* 1065/kadmind
udp6 0 0 :::750 :::* 1078/krb5kdc
f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot
f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$
g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) |
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
[Impact]
getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start.
The provided patch is applied upstream and in Debian testing.
[Test Case]
Steps to reproduce the problem on zesty:
a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for ubuntu@EXAMPLE.ORG:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@EXAMPLE.ORG
Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
renew until 05/05/2017 14:20:13
e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
udp6 0 0 :::88 :::* 1078/krb5kdc
udp6 0 0 :::464 :::* 1065/kadmind
udp6 0 0 :::750 :::* 1078/krb5kdc
f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot
f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$
g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750)
With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions.
[Regression Potential]
We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket. |
|
2017-05-05 18:12:53 |
Andreas Hasenack |
description |
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
[Impact]
getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start.
The provided patch is applied upstream and in Debian testing.
[Test Case]
Steps to reproduce the problem on zesty:
a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for ubuntu@EXAMPLE.ORG:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@EXAMPLE.ORG
Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
renew until 05/05/2017 14:20:13
e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
udp6 0 0 :::88 :::* 1078/krb5kdc
udp6 0 0 :::464 :::* 1065/kadmind
udp6 0 0 :::750 :::* 1078/krb5kdc
f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot
f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$
g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750)
With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions.
[Regression Potential]
We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket. |
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
[Impact]
getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start.
The provided patch is applied upstream and in Debian testing.
[Test Case]
Steps to reproduce the problem on zesty:
a) install krb5-kdc krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, use the IP of this machine for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) confirm the kdc and admin services are running.
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
4275 ? Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
4306 ? Ss 0:00 /usr/sbin/kadmind -nofork
d) create a principal and obtain a ticket to confirm kerberos is working properly:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
$ kinit
Password for ubuntu@EXAMPLE.ORG:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@EXAMPLE.ORG
Valid starting Expires Service principal
05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
renew until 05/05/2017 14:20:13
e) Confirm the kerberos services are bound to IPv6 local sockets:
$ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
tcp6 0 0 :::88 :::* LISTEN 1078/krb5kdc
tcp6 0 0 :::749 :::* LISTEN 1065/kadmind
tcp6 0 0 :::464 :::* LISTEN 1065/kadmind
udp6 0 0 :::88 :::* 1078/krb5kdc
udp6 0 0 :::464 :::* 1065/kadmind
udp6 0 0 :::750 :::* 1078/krb5kdc
f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line:
e.1) edit /etc/default/grub
e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
e.3) run sudo update-grub
e.4) reboot
f) Confirm the kdc and admin services are NOT running:
$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
$
g) /var/log/auth.log will contain the reason:
$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750)
May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750)
May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750)
May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464)
May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750)
With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions.
[Regression Potential]
We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket.
That being said, I believe single stack systems (only IPv4, or only IPv6) take an extra configuration effort and most systems are dual stack. Zesty certainly is, out of the box. |
|
2017-05-05 18:14:43 |
Andreas Hasenack |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2017-05-07 21:00:13 |
Mathew Hodson |
krb5 (Ubuntu): importance |
Undecided |
High |
|
2017-05-07 21:00:17 |
Mathew Hodson |
krb5 (Ubuntu Zesty): importance |
Undecided |
High |
|
2017-05-11 21:20:25 |
Adam Conrad |
krb5 (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
2017-05-11 21:20:28 |
Adam Conrad |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-05-11 21:20:29 |
Adam Conrad |
bug |
|
|
added subscriber SRU Verification |
2017-05-11 21:20:32 |
Adam Conrad |
tags |
|
verification-needed |
|
2017-05-11 21:20:36 |
Adam Conrad |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2017-05-15 13:31:47 |
Andreas Hasenack |
tags |
verification-needed |
verification-done-zesty |
|
2017-05-15 13:40:39 |
Gianfranco Costamagna |
tags |
verification-done-zesty |
verification-done verification-done-zesty |
|
2017-05-22 15:19:42 |
Launchpad Janitor |
krb5 (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-05-22 15:20:00 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|