[946] in SIPB_Linux_Development
Re: probs still with Linux/Kerberos
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Feb 27 23:44:51 1995
To: "Theodore Ts'o" <tytso@MIT.EDU>, linux-dev@MIT.EDU, netbsd-dev@MIT.EDU
Cc: Greg Hudson <ghudson@MIT.EDU>
In-Reply-To: Your message of "Mon, 27 Feb 1995 21:01:43 +0500."
<9502280201.AA19256@dcl.MIT.EDU>
Date: Mon, 27 Feb 1995 23:48:00 EST
From: Greg Hudson <ghudson@MIT.EDU>
[Background: I asked Ted what his recommendation was on dealing with
the kerberos port conflict in /etc/services, which is now a problem
with Linux as well as NetBSD.]
> The client side solution (which requires programming work) is to
> make the V4 code do the same thing that the V5 client side code does
> ---- try both port 88 and port 750 (using the service names kerberos
> and kerberos-sec) for each host. It's something which I thought
> should always be done to the V4 code, but for which I've never had
> the time to actually do. This has the advantage that it will cause
> the right thing to happen for all Kerberos realms (as opposed to a
> server-side hack which will only work for the ATHENA.MIT.EDU realm).
I have:
* Developed and tested changes to do this, performing the
queries serially.
* Rebuilt Kerberos and telnet and installed them in
/usr/athena (pending volume release) for NetBSD.
* Rebuilt Kerberos and telnet on quiche, installed it, and made
a new kerberos package. I have not rebuilt all clients
which depended on Kerberos, but I did rebuild telnet.
* Modified services.add for Linux to include:
I also discovered that Linux does not have to time out when it tries
the wrong port, becaues it passes the connection refused packet up to
the kerberos library, which gets an ECONNREFUSED and tries port 750.
NetBSD, which is still broken in this regard (and might still have to
be for its RPC libraries to work), has to wait five seconds to time
out if it tries port 88 first.
kerberos 88/udp kdc # Kerberos authentication--udp
kerberos 88/tcp kdc # Kerberos authentication--tcp
kerberos-sec 750/udp kdc # Kerberos authentication--udp
kerberos-sec 750/tcp kdc # Kerberos authentication--tcp
I have not made any provisions for modifying /etc/services on NetBSD
machines; I'm going to wait for the v5 deployment on kerberos.mit.edu
for that, because of the five-second delay. (I think a five-second
delay is reasonable for outside port-750-only sites, but is pretty
severe for the Athena realm.)
So the current state is:
* The kerberos libraries will look up the services "kerberos"
and "kerberos-sec". They will defalut to 88 for kerberos
and 750 for kerberos-sec, which is also what I expect to
have in /etc/services files for Linux and NetBSD.
* Old machines whose services files map kerberos to port 750
will, even if they use the new kinit, continue to try port
750 first because "kerberos" resolves to 750.
* Linux machines whose services files map kerberos to port 88
can solve their problems with Kerberos by updating their
kerberos package (and leaving their /etc/services files
alone, or updating them by hand).
* Newly-installed Linux machines will get the new services
file and try port 88 first, but will get an ECONNREFUSED
quickly and succeed on port 750.
* Newly-installed NetBSD machines will still try port 750
first; this will be the case until port 88 on
kerberos.mit.edu responds to kerberos requests unless we can
fix the NetBSD kernel without impacting any of the NetBSD
libraries or user-space programs (ha).
