[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
This bug was fixed in the package krb5 - 1.15-1ubuntu0.1 --- krb5 (1.15-1ubuntu0.1) zesty; urgency=medium * Pulled in Debian fixes from Sam Hartman for: - kinit fails for OTP user when using kdc discovery via DNS (LP: #1683237) - KDC/kadmind explicit wildcard listener addresses do not use pktinfo (LP: #1688121) - KDC/kadmind may fail to start on IPv4-only systems (LP: #1688310) -- Andreas HasenackFri, 05 May 2017 14:05:38 + ** Changed in: krb5 (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC is configured to listen on the wildcard address (0.0.0.0) and receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted b.1) Add "kdc_listen = 0.0.0.0" to the EXAMPLE.ORG [realm] section in /etc/krb5kdc/kdc.conf and restart the kerberos services: [realms] EXAMPLE.ORG = { kdc_listen = 0.0.0.0 (...) $ sudo service krb5-kdc restart $ sudo service krb5-admin-server restart c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC is configured to listen on the wildcard address (0.0.0.0) and receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted b.1) Add "kdc_listen = 0.0.0.0" to the EXAMPLE.ORG [realm] section in /etc/krb5kdc/kdc.conf and restart the kerberos services: [realms] EXAMPLE.ORG = { kdc_listen = 0.0.0.0 (...) $ sudo service krb5-kdc restart $ sudo service krb5-admin-server restart c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
I updated the test case with step (b.1) which I had forgotten. Here it goes: Reproducing the error case with 1.15-1, we can see that UDP is tried first, is ignored, and then TCP is used one second later: $ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1 Candidate: 1.15-1 Version table: *** 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages 100 /var/lib/dpkg/status $ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu [2848] 1494852873.104617: Getting initial credentials for ubu...@example.org [2848] 1494852873.105449: Looked up etypes in keytab: aes256-cts, aes128-cts [2848] 1494852873.105633: Sending request (172 bytes) to EXAMPLE.ORG [2848] 1494852873.105684: Resolving hostname 10.0.100.249 [2848] 1494852873.105840: Sending initial UDP request to dgram 10.0.100.249:88 [2848] 1494852874.108235: Initiating TCP connection to stream 10.0.100.249:88 [2848] 1494852874.108528: Sending TCP request to stream 10.0.100.249:88 [2848] 1494852874.110518: Received answer (254 bytes) from stream 10.0.100.249:88 [2848] 1494852874.110549: Terminating TCP connection to stream 10.0.100.249:88 [2848] 1494852874.285214: Response was not from master KDC [2848] 1494852874.285346: Received error from KDC: -1765328359/Additional pre-authentication required ... After installing the update, UDP is again tried first but this time kinit receives an immediate answer and the exchange remains on UDP: $ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1ubuntu0.1 Candidate: 1.15-1ubuntu0.1 Version table: *** 1.15-1ubuntu0.1 500 500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages 100 /var/lib/dpkg/status 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages $ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu [10150] 1494853325.393939: Getting initial credentials for ubu...@example.org [10150] 1494853325.395247: Looked up etypes in keytab: aes256-cts, aes128-cts [10150] 1494853325.395665: Sending request (172 bytes) to EXAMPLE.ORG [10150] 1494853325.395851: Resolving hostname 10.0.100.249 [10150] 1494853325.396225: Sending initial UDP request to dgram 10.0.100.249:88 [10150] 1494853325.398161: Received answer (254 bytes) from dgram 10.0.100.249:88 [10150] 1494853325.648728: Response was not from master KDC [10150] 1494853325.648835: Received error from KDC: -1765328359/Additional pre-authentication required ** Tags added: verification-done-zesty ** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC is configured to listen on the wildcard address (0.0.0.0) and receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted b.1) Add "kdc_listen = 0.0.0.0" to the EXAMPLE.ORG [realm] section in /etc/krb5kdc/kdc.conf and restart the kerberos services: [realms] EXAMPLE.ORG = { kdc_listen = 0.0.0.0 (...) $ sudo service krb5-kdc restart $ sudo service krb5-admin-server restart c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] - When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. + When the KDC is configured to listen on the wildcard address (0.0.0.0) and receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) h) repeat step (g) with the updated packages. Timing should be similar to the one in step (d), and a traffic capture should show UDP (and not TCP) being used. Alternativaly, you can also prefix the kinit command with KRB5_TRACE=/dev/stderr and verify in the debug logs that UDP instead of TCP is being used. [Regression
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch - [Impact] - When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. + When IPv6 is disabled and the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. - [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) h) repeat step (g) with the updated packages. Timing should be similar to the one in step (d), and a traffic capture should show UDP (and not TCP) being used. Alternativaly, you can also prefix the kinit command with KRB5_TRACE=/dev/stderr and verify in the debug logs that UDP instead of TCP is being used. - [Regression Potential] This affects only
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
On it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) h) repeat step (g) with the updated packages. Timing should be similar to the one in step (d), and a traffic capture should show UDP (and not TCP) being used. Alternativaly, you can also prefix the kinit command
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
ahasenack, can you please test it? thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) h) repeat step (g) with the updated packages. Timing should be similar to the one in step (d), and a traffic capture should show UDP (and not TCP) being used. Alternativaly,
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
Hello Andreas, or anyone else affected, Accepted krb5 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/krb5/1.15-1ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: krb5 (Ubuntu Zesty) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: Fix Committed Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Package changed: krb5 (Debian) => ubuntu-translations ** Changed in: ubuntu-translations Importance: Unknown => Undecided ** Changed in: ubuntu-translations Status: Fix Released => New ** Changed in: ubuntu-translations Remote watch: Debian Bug tracker #860767 => None ** No longer affects: ubuntu-translations ** Changed in: krb5 (Ubuntu) Importance: High => Medium ** Changed in: krb5 (Ubuntu Zesty) Importance: High => Medium ** Bug watch removed: Debian Bug tracker #860767 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu) Importance: Undecided => High ** Changed in: krb5 (Ubuntu Zesty) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch [Impact] When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. Most clients will just see an increased lag when obtaining tickets. If for some reason 88/TCP is blocked on the KDC and clients are expected to use UDP at all times, then kinit requests will just fail. A workaround is to list the aliased interface's address in kdc_listen besides the wildcard (0.0.0.0) address. The provided patch is applied upstream and in Debian testing. [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) h) repeat step (g) with the updated packages. Timing should be similar to the one in step (d),
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch - TL;DR when kinit uses udp on an aliased interface address, server - responds with the wrong source IP + + [Impact] + + When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit. + After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket. + + Most clients will just see an increased lag when obtaining tickets. If + for some reason 88/TCP is blocked on the KDC and clients are expected to + use UDP at all times, then kinit requests will just fail. + + A workaround is to list the aliased interface's address in kdc_listen + besides the wildcard (0.0.0.0) address. + + The provided patch is applied upstream and in Debian testing. + + + [Test Case] On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) + + h) repeat step (g) with the updated packages. Timing should be similar + to the one in step (d), and a traffic capture should show UDP (and not + TCP) being used. + + Alternativaly, you can also prefix the kinit command with + KRB5_TRACE=/dev/stderr and verify in the debug logs that UDP instead of + TCP is being used. + + + [Regression Potential] + This affects only UDP sockets bound to a wildcard address and makes these sockets
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/krb5/+git/krb5/+merge/323686 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Fix Released Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server - sudo apt install krb5-kdc krb5-admin-server + $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG - sudo krb5_newrealm + $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: - sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu + $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): - sudo ip addr add 10.0.5.155/24 dev ens3 + $ sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu Zesty) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Bug watch added: Debian Bug tracker #860767 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 ** Changed in: krb5 (Debian) Remote watch: krbdev.mit.edu/rt/ #8530 => Debian Bug tracker #860767 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: krb5 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Also affects: krb5 (Ubuntu Zesty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: Fix Released Status in krb5 source package in Zesty: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
With the fix applied, we get this: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real0m0.023s And the traffic happens all in UDP, since kinit got the "PREAUTH required" response (because now it came from the correct source IP) and just issued the updated request right away: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.002060386 10.0.5.155 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED 3 0.00541204610.0.5.55 → 10.0.5.155 KRB5 311 AS-REQ 4 0.012516720 10.0.5.155 → 10.0.5.55KRB5 793 AS-REP -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: In Progress Status in krb5 source package in Zesty: New Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Bug watch added: krbdev.mit.edu/rt/ #8530 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 ** Also affects: krb5 (Debian) via http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo Status in krb5 package in Ubuntu: In Progress Status in krb5 package in Debian: Unknown Bug description: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch TL;DR when kinit uses udp on an aliased interface address, server responds with the wrong source IP On zesty: a) install krb5-kdc and krb5-admin-server sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, select your own IP for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG sudo krb5_newrealm use any password of your liking when prompted c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH: sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket: $ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu $ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m0.022s $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org renew until 05/04/2017 21:22:08 e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case): sudo ip addr add 10.0.5.155/24 dev ens3 f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e): [realms] EXAMPLE.ORG = { kdc = 10.0.5.155 admin_server = 10.0.5.155 g) Time again how long it takes to obtain a ticket: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real 0m2.017s Step (g) shows the bug. On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (2) has the incorrect source ip! After roughly 1s, kinit switches to tcp and tries again: 3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128 4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128 5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273 6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ 7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804 8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (continues) (8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp