subject:"\[Touch\-packages\] \[Bug 1688310\] Re\: KDC\/kadmind may fail to start on IPv4\-only systems"

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-22 Thread Launchpad Bug Tracker

This bug was fixed in the package krb5 - 1.15-1ubuntu0.1

---
krb5 (1.15-1ubuntu0.1) zesty; urgency=medium

  * Pulled in Debian fixes from Sam Hartman for:
- kinit fails for OTP user when using kdc discovery via DNS
  (LP: #1683237)
- KDC/kadmind explicit wildcard listener addresses do not use pktinfo
  (LP: #1688121)
- KDC/kadmind may fail to start on IPv4-only systems (LP: #1688310)

 -- Andreas Hasenack   Fri, 05 May 2017 14:05:38
+

** Changed in: krb5 (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  Fix Released
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  [Impact]
  getaddrinfo() called on a wildcard address might return the IPv6 "::1" 
address. On machines without IPv6 support, binding to it will most likely fail 
and the kdc/kadmin services won't start.

  The provided patch is applied upstream and in Debian testing.

  [Test Case]

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
   renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

  With the updated packages, krb5-kdc and krb5-admin-server will startup
  just fine in the same conditions.

  [Regression Potential]
  We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound 
to correctly. Maybe there could be a scenario when this one bound socket is 
useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT 
error could be seen as a more robust approach because it's immediately visible, 
instead of silently listening on the useless socket.

  That being said, I believe single stack systems (only IPv4, or only
  IPv6) take an extra configuration

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-15 Thread LocutusOfBorg

** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  Fix Committed
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  [Impact]
  getaddrinfo() called on a wildcard address might return the IPv6 "::1" 
address. On machines without IPv6 support, binding to it will most likely fail 
and the kdc/kadmin services won't start.

  The provided patch is applied upstream and in Debian testing.

  [Test Case]

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
   renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

  With the updated packages, krb5-kdc and krb5-admin-server will startup
  just fine in the same conditions.

  [Regression Potential]
  We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound 
to correctly. Maybe there could be a scenario when this one bound socket is 
useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT 
error could be seen as a more robust approach because it's immediately visible, 
instead of silently listening on the useless socket.

  That being said, I believe single stack systems (only IPv4, or only
  IPv6) take an extra configuration effort and most systems are dual
  stack. Zesty certainly is, out of the box.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-15 Thread Andreas Hasenack

Reproducing the problem with 1.15-1:
ubuntu@15-89:~$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1
  Candidate: 1.15-1
  Version table:
 *** 1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
100 /var/lib/dpkg/status

After rebooting with no IPv6 support, the kerberos services are not running:
ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
ubuntu@15-89:~$

And we have the expected failure in auth.log:
ubuntu@15-89:~$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
May 15 13:23:40 15-89 kadmind[1195]: Failed setting up a UDP socket (for ::.464)
May 15 13:23:40 15-89 krb5kdc[1196]: Failed setting up a UDP socket (for ::.750)
May 15 13:24:34 15-89 sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root 
; COMMAND=/bin/grep -E (kadmind|krb5kdc).*Failed /var/log/auth.log


Now we install the fixed packages from proposed:
ubuntu@15-89:~$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1ubuntu0.1
  Candidate: 1.15-1ubuntu0.1
  Version table:
 *** 1.15-1ubuntu0.1 500
500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 
Packages
100 /var/lib/dpkg/status
 1.15-1 500
500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages

Immediately after that the services are running already:
ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
 2377 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
 2443 ?Ss 0:00 /usr/sbin/kadmind -nofork


We still have errors in auth.log, but they are not fatal:
May 15 13:26:49 15-89 kadmind[2443]: Address family not supported by protocol - 
Cannot create TCP server socket on ::.464
May 15 13:26:49 15-89 kadmind[2443]: Failed setting up a UDP socket (for ::.464)

And we are bound to IPv4 sockets only as expected:
ubuntu@15-89:~$ sudo netstat -anp|grep -E "^(tcp|udp).*(krb5kdc|kadmind)"
tcp0  0 0.0.0.0:88  0.0.0.0:*   LISTEN  
2377/krb5kdc
tcp0  0 0.0.0.0:749 0.0.0.0:*   LISTEN  
2443/kadmind
tcp0  0 0.0.0.0:464 0.0.0.0:*   LISTEN  
2443/kadmind
udp0  0 0.0.0.0:88  0.0.0.0:*   
2377/krb5kdc
udp0  0 0.0.0.0:464 0.0.0.0:*   
2443/kadmind
udp0  0 0.0.0.0:750 0.0.0.0:*   
2377/krb5kdc   


** Tags removed: verification-needed
** Tags added: verification-done-zesty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  Fix Committed
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  [Impact]
  getaddrinfo() called on a wildcard address might return the IPv6 "::1" 
address. On machines without IPv6 support, binding to it will most likely fail 
and the kdc/kadmin services won't start.

  The provided patch is applied upstream and in Debian testing.

  [Test Case]

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
   renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-13 Thread LocutusOfBorg

Andreas can you please test it?
thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  Fix Committed
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  [Impact]
  getaddrinfo() called on a wildcard address might return the IPv6 "::1" 
address. On machines without IPv6 support, binding to it will most likely fail 
and the kdc/kadmin services won't start.

  The provided patch is applied upstream and in Debian testing.

  [Test Case]

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
   renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

  With the updated packages, krb5-kdc and krb5-admin-server will startup
  just fine in the same conditions.

  [Regression Potential]
  We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound 
to correctly. Maybe there could be a scenario when this one bound socket is 
useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT 
error could be seen as a more robust approach because it's immediately visible, 
instead of silently listening on the useless socket.

  That being said, I believe single stack systems (only IPv4, or only
  IPv6) take an extra configuration effort and most systems are dual
  stack. Zesty certainly is, out of the box.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-11 Thread Adam Conrad

Hello Andreas, or anyone else affected,

Accepted krb5 into zesty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/krb5/1.15-1ubuntu0.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: krb5 (Ubuntu Zesty)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  Fix Committed
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  [Impact]
  getaddrinfo() called on a wildcard address might return the IPv6 "::1" 
address. On machines without IPv6 support, binding to it will most likely fail 
and the kdc/kadmin services won't start.

  The provided patch is applied upstream and in Debian testing.

  [Test Case]

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
   renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

  With the updated packages, krb5-kdc and krb5-admin-server will startup
  just

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-07 Thread Mathew Hodson

** Changed in: krb5 (Ubuntu)
   Importance: Undecided => High

** Changed in: krb5 (Ubuntu Zesty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  In Progress
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  [Impact]
  getaddrinfo() called on a wildcard address might return the IPv6 "::1" 
address. On machines without IPv6 support, binding to it will most likely fail 
and the kdc/kadmin services won't start.

  The provided patch is applied upstream and in Debian testing.

  [Test Case]

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
   renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

  With the updated packages, krb5-kdc and krb5-admin-server will startup
  just fine in the same conditions.

  [Regression Potential]
  We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound 
to correctly. Maybe there could be a scenario when this one bound socket is 
useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT 
error could be seen as a more robust approach because it's immediately visible, 
instead of silently listening on the useless socket.

  That being said, I believe single stack systems (only IPv4, or only
  IPv6) take an extra configuration effort and most systems are dual
  stack. Zesty certainly is, out of the box.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-05 Thread Andreas Hasenack

** Description changed:

  This is fixed in artful in krb5 1.15-2
  
  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
  
- getaddrinfo() called on a wildcard address might return the IPv6 "::1"
- address. On machines without IPv6 support, binding to it will likely
- fail and the kdc/kadmin services won't start.
+ 
+ [Impact]
+ getaddrinfo() called on a wildcard address might return the IPv6 "::1" 
address. On machines without IPv6 support, binding to it will most likely fail 
and the kdc/kadmin services won't start.
+ 
+ The provided patch is applied upstream and in Debian testing.
+ 
+ 
+ [Test Case]
  
  Steps to reproduce the problem on zesty:
  
  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers
  
  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted
  
  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
-  4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
-  4306 ?Ss 0:00 /usr/sbin/kadmind -nofork
+  4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
+  4306 ?Ss 0:00 /usr/sbin/kadmind -nofork
  
  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
- Password for ubu...@example.org: 
+ Password for ubu...@example.org:
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org
  
  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
-   renew until 05/05/2017 14:20:13
+  renew until 05/05/2017 14:20:13
  
  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
- tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
- tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
- tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
- udp6   0  0 :::88   :::*  
  1078/krb5kdc
- udp6   0  0 :::464  :::*  
  1065/kadmind
- udp6   0  0 :::750  :::*  
  1078/krb5kdc
+ tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
+ tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
+ tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
+ udp6   0  0 :::88   :::*  
  1078/krb5kdc
+ udp6   0  0 :::464  :::*  
  1065/kadmind
+ udp6   0  0 :::750  :::*  
  1078/krb5kdc
  
  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot
  
  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $
  
  g) /var/log/auth.log will contain the reason:
- $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log 
+ $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)
+ 
+ 
+ With the updated packages, krb5-kdc and krb5-admin-server will startup just 
fine in the same conditions.
+ 
+ 
+ [Regression Potential]
+ We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound 
to correctly. Maybe there could be a scenario when this one bound socket is 
useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT 
error could be seen as a more robust approach because it's immediately visible,

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-05 Thread Launchpad Bug Tracker

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/krb5/+git/krb5/+merge/323686

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  In Progress
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  getaddrinfo() called on a wildcard address might return the IPv6 "::1"
  address. On machines without IPv6 support, binding to it will likely
  fail and the kdc/kadmin services won't start.

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org: 
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log 
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-04 Thread Bug Watch Updater

** Changed in: krb5 (Debian)
   Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  In Progress
Status in krb5 package in Debian:
  Fix Released

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  getaddrinfo() called on a wildcard address might return the IPv6 "::1"
  address. On machines without IPv6 support, binding to it will likely
  fail and the kdc/kadmin services won't start.

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org: 
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log 
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-04 Thread Andreas Hasenack

** Bug watch added: Debian Bug tracker #860767
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767

** Also affects: krb5 (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  In Progress
Status in krb5 package in Debian:
  Unknown

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  getaddrinfo() called on a wildcard address might return the IPv6 "::1"
  address. On machines without IPv6 support, binding to it will likely
  fail and the kdc/kadmin services won't start.

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org: 
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log 
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-04 Thread Andreas Hasenack

** Changed in: krb5 (Ubuntu)
 Assignee: Andreas Hasenack (ahasenack) => (unassigned)

** Changed in: krb5 (Ubuntu)
   Status: In Progress => Fix Released

** Changed in: krb5 (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: krb5 (Ubuntu Zesty)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Zesty:
  In Progress

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  getaddrinfo() called on a wildcard address might return the IPv6 "::1"
  address. On machines without IPv6 support, binding to it will likely
  fail and the kdc/kadmin services won't start.

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org: 
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log 
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

2017-05-04 Thread LocutusOfBorg

** Also affects: krb5 (Ubuntu Zesty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688310

Title:
  KDC/kadmind may fail to start on IPv4-only systems

Status in krb5 package in Ubuntu:
  In Progress
Status in krb5 source package in Zesty:
  New

Bug description:
  This is fixed in artful in krb5 1.15-2

  - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531
  - debian: conflated into 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
  - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch

  getaddrinfo() called on a wildcard address might return the IPv6 "::1"
  address. On machines without IPv6 support, binding to it will likely
  fail and the kdc/kadmin services won't start.

  Steps to reproduce the problem on zesty:

  a) install krb5-kdc krb5-admin-server
  $ sudo apt install krb5-kdc krb5-admin-server
  when prompted, use EXAMPLE.ORG (all caps) as the default realm
  when prompted, use the IP of this machine for the KDC and the Admin servers

  b) configure a new realm called EXAMPLE.ORG
  $ sudo krb5_newrealm
  use any password of your liking when prompted

  c) confirm the kdc and admin services are running.
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
   4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
   4306 ?Ss 0:00 /usr/sbin/kadmind -nofork

  d) create a principal and obtain a ticket to confirm kerberos is working 
properly:
  $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
  $ kinit
  Password for ubu...@example.org: 
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: ubu...@example.org

  Valid starting   Expires  Service principal
  05/04/2017 14:20:17  05/05/2017 00:20:17  krbtgt/example@example.org
renew until 05/05/2017 14:20:13

  e) Confirm the kerberos services are bound to IPv6 local sockets:
  $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)"
  tcp6   0  0 :::88   :::*LISTEN
  1078/krb5kdc
  tcp6   0  0 :::749  :::*LISTEN
  1065/kadmind
  tcp6   0  0 :::464  :::*LISTEN
  1065/kadmind
  udp6   0  0 :::88   :::*  
  1078/krb5kdc
  udp6   0  0 :::464  :::*  
  1065/kadmind
  udp6   0  0 :::750  :::*  
  1078/krb5kdc

  f) configure the system to not support IPv6. There are probably many ways to 
do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel 
command line:
  e.1) edit /etc/default/grub
  e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save
  e.3) run sudo update-grub
  e.4) reboot

  f) Confirm the kdc and admin services are NOT running:
  $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep
  $

  g) /var/log/auth.log will contain the reason:
  $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log 
  May  4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for 
::.750)
  May  4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for 
::.464)
  May  4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for 
::.750)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

[Touch-packages] [Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems

12 matches

Site Navigation

Mail list logo

Footer information