Hi, I am experimenting kinit ticket requesting to KDC using TCP and see that all attempts fall back to UDP. Looking at the code it seems there is a bug, see below.
my setup: - MIT Kerberos 1.10.1, built from source code and running this build - kbr5.conf with udp_preference_limit=1 - kdc.conf with kdc_tcp_ports=88 Here is part of the flow in sendto_kdc.c: - KDC hostname gets resolved (resolve_server()) and several connections are attempted, first ones with TCP, and some UDP sockets are created too. - each connection is attempted by a start_connection() call, they all succeed. - at the end of start_connection(), there is an ssflags local variable into which the SSF_READ flag is being set (among others), and this state is saved through cm_add_fd(). - for TCP sockets, the service_tcp_fd() function is called, running a state machine. - inside service_tcp_fd(), for the CONNECTING state, a check is made for the SSF_READ flag. If this flag is set, a comment tells the KDC is sending data to us, which is interpreted as an error, so the TCP socket is disconnected by the client. As seen above, this SSF_READ flag had been explicitly set at the end of start_connection(). - consequently, all the TCP sockets are closed along the same scenario, then Kerberos falls back to UDP sockets, which do succeed in contacting the KDC. So I think there is a bug there, either start_connection() should not set the SSF_READ flag by default, or service_tcp_fd() should't check the SSF_READ during the CONNECTING phase and fall into error there. Thanks to let me know if this is indeed a but or whether I am missing something, -- oli. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
