[37595] in Kerberos
Re: Bugs in 1.14.3 krb5kdc on startup
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jul 27 11:55:20 2016
To: David Shrimpton <d.shrimpton@its.uq.edu.au>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <5798D957.2050505@mit.edu>
Date: Wed, 27 Jul 2016 11:55:03 -0400
MIME-Version: 1.0
In-Reply-To: <alpine.LRH.2.00.1607271640140.16035@sky.soe.uq.edu.au>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/27/2016 04:22 AM, David Shrimpton wrote:
> 1. The log message should show UDP not TCP as a UDP socket is being attempted
> to be created. The code logs TCP always regardless of whether UDP or TCP
> socket is being created. This is confusing in the situation above where
> tcp has been disabled in kdc.conf.
Agreed. This appears to be a long-standing bug, and is still present in
the current code.
> 2. There is no time and date on the "krb5kdc: Address family not supported ..."
> log line
Yeah, we have two different ways of generating log messages in krb5kdc
and kadmind, and they don't generate consistent output. We should fix
that as well.
> 3. krb5kdc is automatically attempting to create an ipv6 socket
> but there are no ipv6 interfaces on this host to bind to this socket
> if it were created. This is a bit confusing and leads to the misleading
> error message above always on startup on this host when there should be
> no error message at all.
The current code on master uses getaddrinfo() on the wildcard address
(or on the configured listening address). I believe that will only
return an IPv4 address on a system with no IPv6 interfaces. So I think
this part of the problem is already fixed for 1.15.
For 1.14 and prior, we could consider ignoring EAFNOSUPPORT errors for
IPv6, or something similar. But my inclination is that this problem
isn't serious enough to require a backported change.
If you would like to file tickets for the first two bugs (by sending
mail to krb5-bugs@mit.edu, one for each problem), so that you receive
email updates for them, please go ahead. Otherwise I can do it.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
