Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
KDC won't start after fresh install
421 views
Skip to first unread message
Sebastian Singer
Sep 5, 2013, 7:34:04 AM9/5/13
to kerb...@mit.edu
Hi,
I have been installing Kerberos form scratch on a Debian Wheezy this day
following http://techpubs.spinlocksolutions.com/dklar/kerberos.html .
Double checked everything but when trying to start KDC this is what the
log says:
/var/log/kerberos/krb5kdc.log:
Sep 05 13:12:52server.net krb5kdc[22172](debug): Got signal to request exit
Sep 05 13:12:52 server.net krb5kdc[22172](info): closing down fd 9
Sep 05 13:12:52server.net krb5kdc[22172](info): closing down fd 8
Sep 05 13:12:52 server.net krb5kdc[22172](info): shutting down
Sep 05 13:12:52 server.net krb5kdc[22454](info): setting up network...
Sep 05 13:12:52 server.net krb5kdc[22454](info): listening on fd 8: udp
0.0.0.0.88 (pktinfo)
Sep 05 13:12:52 server.net krb5kdc[22454](info): listening on fd 9: udp
0.0.0.0.750 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: Das Argument ist ung?ltig - Cannot request packet info for udp
socket address :: port 88
Sep 05 13:12:52 server.net krb5kdc[22454](info): skipping unrecognized
local address family 17
Sep 05 13:12:52 server.net krb5kdc[22454](info): set up 2 sockets
Sep 05 13:12:52 server.net krb5kdc[22455](info): commencing operation
I opened ports 88, 464, 749 and 750 in iptables for udp and tcp. Still
no clean server start.
I wonder if there is something with ipv6 as in line 9 of the log it
refers to "socket address ::"?
I hope it is just a beginner's mistake ;-)
Every bit of help is appreciated.
Yours,
Sebastian
I have been installing Kerberos form scratch on a Debian Wheezy this day
following http://techpubs.spinlocksolutions.com/dklar/kerberos.html .
Double checked everything but when trying to start KDC this is what the
log says:
/var/log/kerberos/krb5kdc.log:
Sep 05 13:12:52server.net krb5kdc[22172](debug): Got signal to request exit
Sep 05 13:12:52 server.net krb5kdc[22172](info): closing down fd 9
Sep 05 13:12:52server.net krb5kdc[22172](info): closing down fd 8
Sep 05 13:12:52 server.net krb5kdc[22172](info): shutting down
Sep 05 13:12:52 server.net krb5kdc[22454](info): setting up network...
Sep 05 13:12:52 server.net krb5kdc[22454](info): listening on fd 8: udp
0.0.0.0.88 (pktinfo)
Sep 05 13:12:52 server.net krb5kdc[22454](info): listening on fd 9: udp
0.0.0.0.750 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: Das Argument ist ung?ltig - Cannot request packet info for udp
socket address :: port 88
Sep 05 13:12:52 server.net krb5kdc[22454](info): skipping unrecognized
local address family 17
Sep 05 13:12:52 server.net krb5kdc[22454](info): set up 2 sockets
Sep 05 13:12:52 server.net krb5kdc[22455](info): commencing operation
I opened ports 88, 464, 749 and 750 in iptables for udp and tcp. Still
no clean server start.
I wonder if there is something with ipv6 as in line 9 of the log it
refers to "socket address ::"?
I hope it is just a beginner's mistake ;-)
Every bit of help is appreciated.
Yours,
Sebastian
Benjamin Kaduk
Sep 5, 2013, 9:09:24 AM9/5/13
to Sebastian Singer, kerb...@mit.edu
double-check that you saw the "Caution" note about cases where "the
system's network hostname is assigned to the localhost address 127.0.0.1."
I think I have seen krb5 clients get confused when there is both an IPv4
and an IPv6 local address line, or some iteration thereof. Are you
intending to use IPv6 on the machine?
-Ben Kaduk
Roland C. Dowdeswell
Sep 5, 2013, 10:27:22 AM9/5/13
to Benjamin Kaduk, kerb...@mit.edu
On Thu, Sep 05, 2013 at 09:09:24AM -0400, Benjamin Kaduk wrote:
>
> This failure mode does not ring any bells right away, but I would
> double-check that you saw the "Caution" note about cases where "the
> system's network hostname is assigned to the localhost address 127.0.0.1."
> I think I have seen krb5 clients get confused when there is both an IPv4
> and an IPv6 local address line, or some iteration thereof. Are you
> intending to use IPv6 on the machine?
This reminds me a of bug that I saw in 1.3.something where in each
>
> This failure mode does not ring any bells right away, but I would
> double-check that you saw the "Caution" note about cases where "the
> system's network hostname is assigned to the localhost address 127.0.0.1."
> I think I have seen krb5 clients get confused when there is both an IPv4
> and an IPv6 local address line, or some iteration thereof. Are you
> intending to use IPv6 on the machine?
protocol a single failure would stop the setting up of further
sockets but the KDC would continue to run---just listening a little
less than one would hope.
Looks like the issue still exists in the setup code by quick read
of loop_setup_network() which calls setup_udp_pktinfo_ports(),
setup_tcp_listener_ports(), and setup_rpc_listener_ports() ignoring
the return code. setup_tcp_listener_ports() simply returns an
error on the first error that it encounters. This may lead to
results which are sometimes a little less intuitive than one might
hope.
For your example, we see in setup_udp_port_1() the error that you
encountered in a loop over the configured ports. This error will
short-circuit this functions logic and hence it tries only 88 but
not 750. setup_udp_port_1() is called at the tail of setup_udp_port()
and the error is returned. setup_udp_port() is called via
foreach_localaddr(). foreach_localaddr() will stop processing if
its pass1 function pointer (passed in) returns non-zero but, in
this case, it will return success. And so, the KDC will short-circuit
the setting up of UDP sockets upon the first error that it encounters
and then continue to run leaving any other UDP sockets that you
may have expected to be configured unconfigured.
In any case, the logic in loop_setup_network() and almost all of
the functions that it calls are completely wrong. The KDC should
either (a) fail to run returning an error code if it can't configure
all of the ports that it wants to configure, or (b) configure
everything that it possibly can and write some complaints in the
log. What it does now, i.e. non-deterministically (from the point
of view of someone not reading the code, at least) selecting a
subset of listening ports any time that there is an error, is less
than desireable.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
Sebastian Singer
Sep 5, 2013, 10:39:48 AM9/5/13
to Roland C. Dowdeswell, Benjamin Kaduk, kerberos MIT.EDU
Thanks, but ... I don't really understand, sorry. Is this version buggy? How can I fix it?
I tried to start kdc and looked at
# /etc/init.d/krb5-kdc status
It says it's started.
But when trying to connect via
# kadmin
it stops with the message:
"kadmin: Cannot contact any KDC for requested realm while initiating kadmin interface"
So kdc is up in one way or the other but does not connect to the realm defined in /etc/kr5.conf ?
----------------ursprüngliche Nachricht-----------------
Von: "Roland C. Dowdeswell" el...@imrryr.org
An: "Benjamin Kaduk" ka...@MIT.EDU
Kopie: "Sebastian Singer" sebastia...@kesslar.de , kerb...@MIT.EDU
Datum: Thu, 5 Sep 2013 15:27:22 +0100
-------------------------------------------------
--
Dear staff of the NSA,
this is a solely private e-mail, no terrorist background intended nor included. So if you don't mind you can confidently delete it. Further storing is futile.
Yours,
(well I guess you know who I am in any case)
I tried to start kdc and looked at
# /etc/init.d/krb5-kdc status
It says it's started.
But when trying to connect via
# kadmin
it stops with the message:
"kadmin: Cannot contact any KDC for requested realm while initiating kadmin interface"
So kdc is up in one way or the other but does not connect to the realm defined in /etc/kr5.conf ?
----------------ursprüngliche Nachricht-----------------
Von: "Roland C. Dowdeswell" el...@imrryr.org
An: "Benjamin Kaduk" ka...@MIT.EDU
Kopie: "Sebastian Singer" sebastia...@kesslar.de , kerb...@MIT.EDU
Datum: Thu, 5 Sep 2013 15:27:22 +0100
-------------------------------------------------
Dear staff of the NSA,
this is a solely private e-mail, no terrorist background intended nor included. So if you don't mind you can confidently delete it. Further storing is futile.
Yours,
(well I guess you know who I am in any case)
Roland C. Dowdeswell
Sep 5, 2013, 10:40:55 AM9/5/13
to Sebastian Singer, kerberos MIT.EDU
On Thu, Sep 05, 2013 at 04:39:48PM +0200, Sebastian Singer wrote:
>
> Thanks, but ... I don't really understand, sorry. Is this version
> buggy? How can I fix it?
> I tried to start kdc and looked at
> # /etc/init.d/krb5-kdc status
> It says it's started.
> But when trying to connect via
> # kadmin
> it stops with the message:
> "kadmin: Cannot contact any KDC for requested realm while initiating kadmin interface"
> So kdc is up in one way or the other but does not connect to the
> realm defined in /etc/kr5.conf ?
Looks to me like a bug. If you are not using IPv6, then you can workaround
>
> Thanks, but ... I don't really understand, sorry. Is this version
> buggy? How can I fix it?
> I tried to start kdc and looked at
> # /etc/init.d/krb5-kdc status
> It says it's started.
> But when trying to connect via
> # kadmin
> it stops with the message:
> "kadmin: Cannot contact any KDC for requested realm while initiating kadmin interface"
> So kdc is up in one way or the other but does not connect to the
> realm defined in /etc/kr5.conf ?
the issue by disabling IPv6 on your server.
Sebastian Singer
Sep 5, 2013, 10:47:59 AM9/5/13
to Roland C. Dowdeswell, kerberos MIT.EDU
Right. So I will disable IPv6 and report back here.
Regards,
Sebastian
----------------ursprüngliche Nachricht-----------------
Von: "Roland C. Dowdeswell" el...@imrryr.org
An: "Sebastian Singer" sebastia...@kesslar.de
Kopie: "Benjamin Kaduk" ka...@MIT.EDU , "kerberos MIT.EDU" kerb...@MIT.EDU
Datum: Thu, 5 Sep 2013 15:40:55 +0100
-------------------------------------------------
Regards,
Sebastian
----------------ursprüngliche Nachricht-----------------
Von: "Roland C. Dowdeswell" el...@imrryr.org
Kopie: "Benjamin Kaduk" ka...@MIT.EDU , "kerberos MIT.EDU" kerb...@MIT.EDU
Datum: Thu, 5 Sep 2013 15:40:55 +0100
-------------------------------------------------
Sebastian Singer
Sep 5, 2013, 11:03:23 AM9/5/13
to Roland C. Dowdeswell, kerberos MIT.EDU
Nothing changed. I disabled IPv6:
# echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
and did
# sysctl -p /etc/sysctl.d/disableipv6.conf
restarted both servers kadmin and kdc.
Still the same old error.
?
----------------ursprüngliche Nachricht-----------------
Von: "Sebastian Singer" sebastia...@kesslar.de
An: "Roland C. Dowdeswell" el...@imrryr.org
Kopie: "kerberos MIT.EDU" kerb...@mit.edu
Datum: Thu, 5 Sep 2013 16:47:59 +0200
-------------------------------------------------
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
# echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
and did
# sysctl -p /etc/sysctl.d/disableipv6.conf
restarted both servers kadmin and kdc.
Still the same old error.
?
----------------ursprüngliche Nachricht-----------------
Von: "Sebastian Singer" sebastia...@kesslar.de
An: "Roland C. Dowdeswell" el...@imrryr.org
Kopie: "kerberos MIT.EDU" kerb...@mit.edu
Datum: Thu, 5 Sep 2013 16:47:59 +0200
-------------------------------------------------
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Benjamin Kaduk
Sep 5, 2013, 11:12:45 AM9/5/13
to Sebastian Singer, kerberos MIT.EDU
On Thu, 5 Sep 2013, Sebastian Singer wrote:
> Nothing changed. I disabled IPv6:
> # echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
> and did
> # sysctl -p /etc/sysctl.d/disableipv6.conf
> restarted both servers kadmin and kdc.
> Still the same old error.
But are there any IPv6 addresses in /etc/hosts ?
> # echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
> and did
> # sysctl -p /etc/sysctl.d/disableipv6.conf
> restarted both servers kadmin and kdc.
> Still the same old error.
-Ben Kaduk
Benjamin Kaduk
Sep 5, 2013, 11:16:23 AM9/5/13
to Sebastian Singer, kerberos MIT.EDU
Please do.
-Ben
On Thu, 5 Sep 2013, Sebastian Singer wrote:
> Yes. Should I comment them?
>
> ----------------ursprüngliche Nachricht-----------------
> Von: "Benjamin Kaduk" ka...@MIT.EDU
> An: "Sebastian Singer" sebastia...@kesslar.de
> Kopie: "kerberos MIT.EDU" kerb...@MIT.EDU
> Datum: Thu, 5 Sep 2013 11:12:45 -0400 (EDT)
> -------------------------------------------------
-Ben
On Thu, 5 Sep 2013, Sebastian Singer wrote:
>
> ----------------ursprüngliche Nachricht-----------------
> Von: "Benjamin Kaduk" ka...@MIT.EDU
> An: "Sebastian Singer" sebastia...@kesslar.de
> Kopie: "kerberos MIT.EDU" kerb...@MIT.EDU
> Datum: Thu, 5 Sep 2013 11:12:45 -0400 (EDT)
> -------------------------------------------------
Sebastian Singer
Sep 5, 2013, 11:14:12 AM9/5/13
to Benjamin Kaduk, kerberos MIT.EDU
Sebastian Singer
Sep 5, 2013, 11:24:08 AM9/5/13
to Benjamin Kaduk, Roland C. Dowdeswell, kerberos MIT.EDU
Commented all entries concerning ipv6 (just localhost entries),
# ifconfig -a
shows ipv4 IP addresses only.
Restarted krb5-admin and krb5-kdc: same error.
Triple-checked /etc/krb5.conf, /etc/hosts, /etc/networks/interface and iptables entries.
Guess I need a break for an hour or two. Feel like a mouse in a trap. I fear that in the end it is one of those trivial things I have omitted ...
Thanks so far,
Sebastian
----------------ursprüngliche Nachricht-----------------
Von: "Benjamin Kaduk" ka...@MIT.EDU
An: "Sebastian Singer" sebastia...@kesslar.de
Kopie: "kerberos MIT.EDU" kerb...@MIT.EDU
Datum: Thu, 5 Sep 2013 11:16:23 -0400 (EDT)
-------------------------------------------------
> Please do.
> -Ben
# ifconfig -a
shows ipv4 IP addresses only.
Restarted krb5-admin and krb5-kdc: same error.
Triple-checked /etc/krb5.conf, /etc/hosts, /etc/networks/interface and iptables entries.
Guess I need a break for an hour or two. Feel like a mouse in a trap. I fear that in the end it is one of those trivial things I have omitted ...
Thanks so far,
Sebastian
----------------ursprüngliche Nachricht-----------------
Von: "Benjamin Kaduk" ka...@MIT.EDU
An: "Sebastian Singer" sebastia...@kesslar.de
Kopie: "kerberos MIT.EDU" kerb...@MIT.EDU
-------------------------------------------------
> Please do.
> -Ben
0 new messages