[14468] in Athena Bugs
Kerberos clients don't work with multihomed kerberos servers
daemon@ATHENA.MIT.EDU (Derek Atkins)
Wed Jul 17 18:22:50 1996
To: bugs@MIT.EDU, testers@MIT.EDU
Date: Wed, 17 Jul 1996 18:22:40 EDT
From: Derek Atkins <warlord@MIT.EDU>
I've tried this on a Sun (bart-savagewood, Athena 8.0); but it should
happen on most Athena machines.
I was trying to contact a kerberos server which is multi-homed:
Ready> hostinfo kerberos.ihtfp.org
Desired host: kerberos.ihtfp.org
Official name: incommunicado.ihtfp.org
Alias: kerberos.ihtfp.org
Host address: 204.107.200.17
Host address: 204.107.200.2
Host info: i486DX2-66/Linux
Since the .2 address is the "outside" address, packets are coming from
there, not the .17 address. However the Athena Kerberos libraries
only accept packets from the first address in the list. It doesn't
check for this case, where packets are coming from an alternative
address, and drop the packets on the floor. Hense, I cannot
authenticate until the machine reboots or named drops the cached
information and the DNS round-robin gets me the other address.
The bug is in send_to_kdc(). It should check the return address of
the packet and compare it with all the "known" addresses for the
server, rather than assume it is the "first" address in the IP address
list.
Right now when I try to access kerberos.ihtfp.org I get:
Ready> rlogin mum.ihtfp.org -x
rlogin: Kerberos rcmd failed: Retry count exceeded (send_to_kdc).
I know that CNS solves this problem. If you want a patch against the
MIT send_to_kdc, I'd be happy to supply one. Either that, or we can
just bit the bullet and run CNS.
-derek
