> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Xu, Qiang (FXSGSC) > Sent: Tuesday, August 11, 2009 10:12 AM > To: Andrew Cobaugh > Cc: [email protected] > Subject: RE: IPv6 handling in SASL LDAP binding > > Our printer has a WebUI, that enables us to configure > Kerberos server through web page. By "configured the Kerberos > server with hostname", I mean doing it from WebUI. Our > printer has another DNS option, "Prefer IPv6 address over > IPv4 address", to prioritize on IPv6 address in resolving > hostnames. Thus, when the Kerberos server's hostname is > configured by hostname, DNS will return an IPv6 address in > response, and write the value into "/etc/krb5.conf". > > When "/etc/krb5.conf" is configured with IPv4 address: > ================================================ > [libdefaults] > default_realm = XCIPV6.COM > > [realms] > XCIPV6.COM = { > kdc = 13.198.97.42:88 > } > ================================================ > SASL binding is successful, with all network traffic on IPv4 protocol. > > In contrast, when "/etc/krb5.conf" has kdc in IPv6 form: > ================================================ > [libdefaults] > default_realm = XCIPV6.COM > > [realms] > XCIPV6.COM = { > kdc = [3ffe:2000:0:1::100]:88 > } > ================================================ > SASL binding will fail. > > The failing network trace has the following DNS query: > ================================================ > 953 29.970599 13.198.98.117 13.198.97.42 DNS > Standard query AAAA [3ffe.xcipv6.com > 954 29.970621 13.198.97.42 13.198.98.117 DNS > Standard query response, No such name > ================================================ > Note that the AAAA DNS query begins with "[3ffe", which is > retrieved from "/etc/krb5.conf". The failure of this DNS > query is expected. > > The problem in SASL LDAP binding is it can't locate the > Kerberos server (due to the above reason), hence TGS-REQ > can't be initiated. To my knowledge, the locating of Kerberos > server is done by Cyrus-SASL plugin (libgssapiv2.so) calling > MIT Kerberos V5 plugin (libgssapi_krb5.so), so I guess the > former has some problem in handling IPv6 address configured > in "/etc/krb5.conf". > > Still, the IPv6 address can be handled correctly by "kinit" > and the Kerberos server can be found when authentication is > done. I am not sure if kinit and libgssapi_krb5.so are > compiled in the same MIT source package. If the answer is > yes, then it is quite weird that kinit can handle IPv6 > address, while libgssapi_krb5.so can't. If the answer is no, > then it is more understandable.
Could anyone tell me which function in libgssapi_krb5.so is supposed to use /etc/krb5.conf to find whereabout of the server? Thanks, Xu Qiang ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
