[15974] in Kerberos-V5-bugs
[krbdev.mit.edu #8676] RFE: [realms] should support an
daemon@ATHENA.MIT.EDU (James Ralston via RT)
Mon Apr 30 11:16:15 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "James Ralston via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8676@krbdev.mit.edu>
Message-ID: <rt-8676-48458.0.858402508911027@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8676'":;
Date: Mon, 30 Apr 2018 11:16:02 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Anyone who has watched the MIT Kerberos library speak to a Microsoft
Active Directory KDC knows that performing a simple kinit requires a
13-packet exchange:
---------------------------------------------------------
packet TCP Kerberos
number who proto options protocol
---------------------------------------------------------
1 C UDP AS-REQ (no preauth)
2 S UDP KRB5KDC_PREAUTH_REQUIRED
3 C UDP AS-REQ (with preauth)
4 S UDP KRB5KRB_ERR_RESPONSE_TOO_BIG
5 C TCP SYN
6 S TCP SYN/ACK
7 C TCP ACK
8 C TCP PSH/ACK AS-REQ (with preauth)
9 S TCP PSH/ACK AS-REP
10 C TCP ACK
11 C TCP FIN/ACK
12 S TCP ACK
13 S TCP RST/ACK
---------------------------------------------------------
The first (UDP-based) exchange fails because the MIT Kerberos library
doesn't use preauth. The second exchange fails because virtually all
responses from a Microsoft Active Directory KDC will include a PAC,
and thus will be unable to fit within a UDP packet.
There is a [libdefaults] option, udp_preference_limit, that can be
used to tell the MIT Kerberos library to always use TCP instead of
UDP. But when speaking to an Active Directory KDC, setting that
option to 0 (to always force TCP) in fact makes the exchange *worse*,
not better:
---------------------------------------------------------
packet TCP Kerberos
number who proto options protocol
---------------------------------------------------------
1 C TCP SYN
2 S TCP SYN/ACK
3 C TCP ACK
4 C TCP PSH/ACK AS-REQ (no preauth)
5 S TCP PSH/ACK KRB5KDC_PREAUTH_REQUIRED
6 C TCP ACK
7 C TCP FIN/ACK
8 S TCP ACK
9 S TCP RST/ACK
10 C TCP SYN
11 S TCP SYN/ACK
12 C TCP ACK
13 C TCP PSH/ACK AS-REQ (with preauth)
14 S TCP PSH/ACK AS-REP
15 C TCP ACK
16 C TCP FIN/ACK
17 S TCP ACK
18 S TCP RST/ACK
---------------------------------------------------------
Rather than taking 2 UDP packets to discover that preauth is required,
it takes 9 TCP packets.
If there were a [realms]-specific option for the administrator to tell
the MIT Kerberos library that a specific realm *always* requires
preauth, then the useless KRB5KDC_PREAUTH_REQUIRED exchange (2 UDP
packets or 9 TCP packets) could be avoided. Combined with setting
udp_preference_limit, this could meaningfully reduce the packet
exchange count required for an initial kinit:
---------------------------------------------------------
packet TCP Kerberos
number who proto options protocol
---------------------------------------------------------
1 C TCP SYN
2 S TCP SYN/ACK
3 C TCP ACK
4 C TCP PSH/ACK AS-REQ (with preauth)
5 S TCP PSH/ACK AS-REP
6 C TCP ACK
7 C TCP FIN/ACK
8 S TCP ACK
9 S TCP RST/ACK
---------------------------------------------------------
Therefore, please consider adding a [realms]-specific option to force
the MIT Kerberos libraries to always use preauth when talking to the
KDCs for the realm in question.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs