Jan Sanders, Probably u have a firewall problem like Tom said :) Trace UDP/464 return from server to client... non-stateful firewalls, ACL on switches, etc...
On Wed, Sep 9, 2009 at 10:48 AM, Tom Yu <[email protected]> wrote: > Jan Sanders <[email protected]> writes: > >> Hello List, >> >> on my client machine I can get kerberos tickets for my principal using >> the correct principalname-password combination. I can also use kadmin on >> the client machine providing the correct principalname-password >> combination for an admin principal. Changing the password for a >> principal is no problem using kadmin. >> But then I trzy to use kpasswd on the client machine. I provide kpasswd >> with correct the principalname-password combination and twiche state >> what the new password should be and then I wait for a couple of seconds >> before kpasswd returns. >> On returning it complains: Cannot contact any KDC for requested realm >> But it also changed the password. After invoking kpasswd and observing >> the above stated behaviour I have to provide the new password to obtain >> a ticket. >> Even though kpasswd works as advertised (changes the password) it will >> cause some trouble telling users that the error message can safely be >> ignored (if it can!!). >> >> Using strace I could see some timeouts of select syscalls. >> kpasswd obtained a file descriptor for an IP connection, connects to the >> KDC and successfully sends 490 byte of data. >> Then kpasswd uses the select syscall to monitor the filedescriptor which >> times out twice. >> kpasswd resends the 490 bytes and again waits for two select syscalls to >> time out. >> Then again and finally returns with the "Cannot contact any KDC for >> requested realm" complaint. >> >> strace was invoked like this: >> #strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc >> >> What strikes me is the invocation of the select syscall. According to >> the select specification the first parameter of the syscall is the >> number of monitored file descriptors + 1. The select calls as used here >> only monitor 2 file descriptors (better: one filedescriptor is monitored >> twice). The number of file descriptors is set to 5. I do not know how >> select behaves when invoked like that and it seems not to be specified. > > I believe the call to select() is correct. The first parameter should > be an integer that is one greater than the number of the > highest-numbered file descriptor, i.e., the highest-numbered file > descriptor that select() should look at here is file descriptor #4, > which means that select(5, ....) is correct. > > What is probably happening is that the UDP reply packet from the KDC's > kpasswd service is not reaching you, which is could be caused by a > firewall or other factors related to network topology. Can you get a > packet trace on UDP port 464, both on the client's network and on the > KDC's network? > >> The (slightly sanitized) output of strace starting from the socket >> request for connecting to the KDC: >> >> 8006 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 >> 8006 connect(4, {sa_family=AF_INET, sin_port=htons(464), >> sin_addr=inet_addr("[IP of KDC]")}, 16) = 0 >> 8006 getsockname(4, {sa_family=AF_INET, sin_port=htons(35498), >> sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0 >> 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 >> 8006 gettimeofday({1252498115, 459404}, NULL) = 0 >> 8006 gettimeofday({1252498115, 459444}, NULL) = 0 >> 8006 select(5, [4], [], [4], {0, 999960}) = 0 (Timeout) >> 8006 gettimeofday({1252498116, 457725}, NULL) = 0 >> 8006 gettimeofday({1252498116, 457765}, NULL) = 0 >> 8006 select(5, [4], [], [4], {2, 1639}) = 0 (Timeout) >> 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 >> 8006 gettimeofday({1252498118, 462172}, NULL) = 0 >> 8006 gettimeofday({1252498118, 462214}, NULL) = 0 >> 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) >> 8006 gettimeofday({1252498119, 461724}, NULL) = 0 >> 8006 gettimeofday({1252498119, 461763}, NULL) = 0 >> 8006 select(5, [4], [], [4], {4, 409}) = 0 (Timeout) >> 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 >> 8006 gettimeofday({1252498123, 466171}, NULL) = 0 >> 8006 gettimeofday({1252498123, 466213}, NULL) = 0 >> 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) >> 8006 gettimeofday({1252498124, 465728}, NULL) = 0 >> 8006 gettimeofday({1252498124, 465767}, NULL) = 0 >> 8006 select(5, [4], [], [4], {8, 404}) = 0 (Timeout) >> 8006 close(4) = 0 >> 8006 write(2, "kpasswd", 7) = 7 >> 8006 write(2, ": ", 2) = 2 >> 8006 write(2, "Cannot contact any KDC for requested realm", 42) = 42 >> 8006 write(2, " ", 1) = 1 >> 8006 write(2, "changing password", 17) = 17 >> 8006 write(2, "\r\n", 2) = 2 >> 8006 exit_group(1) = ? >> >> End of strace output. >> >> >> I hope all this is helpful for finding the cause of the "Cannot contact >> ..." error. >> >> cheers >> >> Jan Sanders >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
