[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
This bug was fixed in the package krb5 - 1.15-1ubuntu0.1 --- krb5 (1.15-1ubuntu0.1) zesty; urgency=medium * Pulled in Debian fixes from Sam Hartman for: - kinit fails for OTP user when using kdc discovery via DNS (LP: #1683237) - KDC/kadmind explicit wildcard listener addresses do not use pktinfo (LP: #1688121) - KDC/kadmind may fail to start on IPv4-only systems (LP: #1688310) -- Andreas HasenackFri, 05 May 2017 14:05:38 + ** Changed in: krb5 (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Released Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch [Impact] getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. The provided patch is applied upstream and in Debian testing. [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions. [Regression Potential] We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket. That being said, I believe single stack systems (only IPv4, or only IPv6) take an extra configuration
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch [Impact] getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. The provided patch is applied upstream and in Debian testing. [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions. [Regression Potential] We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket. That being said, I believe single stack systems (only IPv4, or only IPv6) take an extra configuration effort and most systems are dual stack. Zesty certainly is, out of the box. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
Reproducing the problem with 1.15-1: ubuntu@15-89:~$ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1 Candidate: 1.15-1 Version table: *** 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages 100 /var/lib/dpkg/status After rebooting with no IPv6 support, the kerberos services are not running: ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep ubuntu@15-89:~$ And we have the expected failure in auth.log: ubuntu@15-89:~$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 15 13:23:40 15-89 kadmind[1195]: Failed setting up a UDP socket (for ::.464) May 15 13:23:40 15-89 krb5kdc[1196]: Failed setting up a UDP socket (for ::.750) May 15 13:24:34 15-89 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/grep -E (kadmind|krb5kdc).*Failed /var/log/auth.log Now we install the fixed packages from proposed: ubuntu@15-89:~$ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1ubuntu0.1 Candidate: 1.15-1ubuntu0.1 Version table: *** 1.15-1ubuntu0.1 500 500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages 100 /var/lib/dpkg/status 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages Immediately after that the services are running already: ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 2377 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 2443 ?Ss 0:00 /usr/sbin/kadmind -nofork We still have errors in auth.log, but they are not fatal: May 15 13:26:49 15-89 kadmind[2443]: Address family not supported by protocol - Cannot create TCP server socket on ::.464 May 15 13:26:49 15-89 kadmind[2443]: Failed setting up a UDP socket (for ::.464) And we are bound to IPv4 sockets only as expected: ubuntu@15-89:~$ sudo netstat -anp|grep -E "^(tcp|udp).*(krb5kdc|kadmind)" tcp0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2377/krb5kdc tcp0 0 0.0.0.0:749 0.0.0.0:* LISTEN 2443/kadmind tcp0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2443/kadmind udp0 0 0.0.0.0:88 0.0.0.0:* 2377/krb5kdc udp0 0 0.0.0.0:464 0.0.0.0:* 2443/kadmind udp0 0 0.0.0.0:750 0.0.0.0:* 2377/krb5kdc ** Tags removed: verification-needed ** Tags added: verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch [Impact] getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. The provided patch is applied upstream and in Debian testing. [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
Andreas can you please test it? thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch [Impact] getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. The provided patch is applied upstream and in Debian testing. [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions. [Regression Potential] We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket. That being said, I believe single stack systems (only IPv4, or only IPv6) take an extra configuration effort and most systems are dual stack. Zesty certainly is, out of the box. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
Hello Andreas, or anyone else affected, Accepted krb5 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/krb5/1.15-1ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: krb5 (Ubuntu Zesty) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch [Impact] getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. The provided patch is applied upstream and in Debian testing. [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) With the updated packages, krb5-kdc and krb5-admin-server will startup just
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Changed in: krb5 (Ubuntu) Importance: Undecided => High ** Changed in: krb5 (Ubuntu Zesty) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch [Impact] getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. The provided patch is applied upstream and in Debian testing. [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions. [Regression Potential] We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible, instead of silently listening on the useless socket. That being said, I believe single stack systems (only IPv4, or only IPv6) take an extra configuration effort and most systems are dual stack. Zesty certainly is, out of the box. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Description changed: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch - getaddrinfo() called on a wildcard address might return the IPv6 "::1" - address. On machines without IPv6 support, binding to it will likely - fail and the kdc/kadmin services won't start. + + [Impact] + getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. + + The provided patch is applied upstream and in Debian testing. + + + [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep - 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid - 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork + 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid + 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit - Password for ubu...@example.org: + Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org - renew until 05/05/2017 14:20:13 + renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" - tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc - tcp6 0 0 :::749 :::*LISTEN 1065/kadmind - tcp6 0 0 :::464 :::*LISTEN 1065/kadmind - udp6 0 0 :::88 :::* 1078/krb5kdc - udp6 0 0 :::464 :::* 1065/kadmind - udp6 0 0 :::750 :::* 1078/krb5kdc + tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc + tcp6 0 0 :::749 :::*LISTEN 1065/kadmind + tcp6 0 0 :::464 :::*LISTEN 1065/kadmind + udp6 0 0 :::88 :::* 1078/krb5kdc + udp6 0 0 :::464 :::* 1065/kadmind + udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: - $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log + $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) + + + With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions. + + + [Regression Potential] + We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible,
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/krb5/+git/krb5/+merge/323686 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start. Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Changed in: krb5 (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start. Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Bug watch added: Debian Bug tracker #860767 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 ** Also affects: krb5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start. Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Changed in: krb5 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: krb5 (Ubuntu) Status: In Progress => Fix Released ** Changed in: krb5 (Ubuntu Zesty) Status: New => In Progress ** Changed in: krb5 (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start. Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Also affects: krb5 (Ubuntu Zesty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems Status in krb5 package in Ubuntu: In Progress Status in krb5 source package in Zesty: New Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start. Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp