Ubuntu
krb5 package

kadmind will not listen on IPv6 ports

Bug #309339 reported by squiggleslash
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

kadmind, as issued with Ubuntu 8.04 LTS, will not listen on IPv6 ports. a netstat -l -p -6 will not show it as listening. kdc does not have the same problem, it works fine.

Looking at the source code, it appears that the version of kadmind being shipped with Ubuntu 8.04 LTS is not eyepeasixificationalized (!). krb5-1.6.dfsg.3~beta1/src/kadmin/server/ovsec_kadmd.c defines a structure, addr, which is the basic sockaddr_in rather than sockaddr_in6, used to bind to the kerberos-adm port, and the code that uses it is:

     memset(&addr, 0, sizeof(addr));
     addr.sin_family = AF_INET;
     addr.sin_addr.s_addr = INADDR_ANY;
     addr.sin_port = htons(params.kadmind_port);

     if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
   const char *e_txt = krb5_get_error_message (context, ret);
   krb5_klog_syslog(LOG_ERR, "Cannot create TCP socket: %s",
      e_txt);
   fprintf(stderr, "Cannot create TCP socket: %s",
    e_txt);
   kadm5_destroy(global_server_handle);
   krb5_klog_close(context);
   exit(1);
     }

     if ((schpw = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
  const char *e_txt = krb5_get_error_message (context, ret);
  krb5_klog_syslog(LOG_ERR,
     "cannot create simple chpw socket: %s",
     e_txt);
  fprintf(stderr, "Cannot create simple chpw socket: %s",
   e_txt);
  kadm5_destroy(global_server_handle);
  krb5_klog_close(context);
  exit(1);
     }

There is no IPv6 code in the thing at all. I'm assuming there's no elaborate include file somewhere that redefines sockaddr_in and AF_INET to sockaddr_in6 and AF_INET6 respectively (and I don't know if such a thing would work anyway, I'm reading conflicting documentation on whether that would result in an IPv6-only app.)

Without this fixed, the remote admin daemon is essentially not useful on a network that's primarily IPv6.

Tags: ipv6
Revision history for this message
Russ Allbery (rra-debian) wrote : Re: [Bug 309339] [NEW] kadmind will not listen on IPv6 ports

squiggleslash <email address hidden> writes:

> Looking at the source code, it appears that the version of kadmind being
> shipped with Ubuntu 8.04 LTS is not eyepeasixificationalized (!).
> krb5-1.6.dfsg.3~beta1/src/kadmin/server/ovsec_kadmd.c defines a
> structure, addr, which is the basic sockaddr_in rather than
> sockaddr_in6, used to bind to the kerberos-adm port, and the code that
> uses it is:

I believe that's correct and upstream does not (yet, at least) support the
kadmin protocol over IPv6.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Revision history for this message
squiggleslash (squiggleslash) wrote :

Do we need upstream to fix it or can I (or someone else) try and create a patch we can use locally until MIT does its thing?

Revision history for this message
Russ Allbery (rra-debian) wrote : Re: [Bug 309339] Re: kadmind will not listen on IPv6 ports

squiggleslash <email address hidden> writes:

> Do we need upstream to fix it or can I (or someone else) try and create
> a patch we can use locally until MIT does its thing?

I honestly don't know. It depends on how deep into the guts of kadmind
and (particularly) the corresponding libraries the IPv4 assumptions go.
If you end up having to change the API to the underlying libkadm5*
libraries to support IPv6, it may be better to try to get upstream to fix
it rather than having a change of SONAME only in Ubuntu or Ubuntu/Debian.

I'm afraid I've not looked at it at all, so I don't know how bad it will
be. (kpasswd is likely to be the hardest problem, since it's UDP, but you
may not care about it.)

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

Revision history for this message
Chuck Short (zulcss) wrote :

Setting as a wishlist item

Regards
chuck

Changed in krb5 (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Emmet Hikory (persia)
tags: added: ipv6
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.