Ubuntu
krb5 package

Bug #1688121
Comment #5

Comment 5 for bug 1688121

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-05-15:

I updated the test case with step (b.1) which I had forgotten. Here it goes:

Reproducing the error case with 1.15-1, we can see that UDP is tried first, is ignored, and then TCP is used one second later:
$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1
  Candidate: 1.15-1
  Version table:
*** 1.15-1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
        100 /var/lib/dpkg/status

$ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[2848] 1494852873.104617: Getting initial credentials for <email address hidden>
[2848] 1494852873.105449: Looked up etypes in keytab: aes256-cts, aes128-cts
[2848] 1494852873.105633: Sending request (172 bytes) to EXAMPLE.ORG
[2848] 1494852873.105684: Resolving hostname 10.0.100.249
[2848] 1494852873.105840: Sending initial UDP request to dgram 10.0.100.249:88
[2848] 1494852874.108235: Initiating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.108528: Sending TCP request to stream 10.0.100.249:88
[2848] 1494852874.110518: Received answer (254 bytes) from stream 10.0.100.249:88
[2848] 1494852874.110549: Terminating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.285214: Response was not from master KDC
[2848] 1494852874.285346: Received error from KDC: -1765328359/Additional pre-authentication required
...

After installing the update, UDP is again tried first but this time kinit receives an immediate answer and the exchange remains on UDP:
$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1ubuntu0.1
  Candidate: 1.15-1ubuntu0.1
  Version table:
*** 1.15-1ubuntu0.1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     1.15-1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages

$ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[10150] 1494853325.393939: Getting initial credentials for <email address hidden>
[10150] 1494853325.395247: Looked up etypes in keytab: aes256-cts, aes128-cts
[10150] 1494853325.395665: Sending request (172 bytes) to EXAMPLE.ORG
[10150] 1494853325.395851: Resolving hostname 10.0.100.249
[10150] 1494853325.396225: Sending initial UDP request to dgram 10.0.100.249:88
[10150] 1494853325.398161: Received answer (254 bytes) from dgram 10.0.100.249:88
[10150] 1494853325.648728: Response was not from master KDC
[10150] 1494853325.648835: Received error from KDC: -1765328359/Additional pre-authentication required

I updated the test case with step (b.1) which I had forgotten. Here it goes:

Reproducing the error case with 1.15-1, we can see that UDP is tried first, is ignored, and then TCP is used one second later:
$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1
  Candidate: 1.15-1
  Version table:
 *** 1.15-1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages
        100 /var/lib/dpkg/status

$ KRB5_TRACE=/dev/stdout  kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[2848] 1494852873.104617: Getting initial credentials for ubuntu@EXAMPLE.ORG
[2848] 1494852873.105449: Looked up etypes in keytab: aes256-cts, aes128-cts
[2848] 1494852873.105633: Sending request (172 bytes) to EXAMPLE.ORG
[2848] 1494852873.105684: Resolving hostname 10.0.100.249
[2848] 1494852873.105840: Sending initial UDP request to dgram 10.0.100.249:88
[2848] 1494852874.108235: Initiating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.108528: Sending TCP request to stream 10.0.100.249:88
[2848] 1494852874.110518: Received answer (254 bytes) from stream 10.0.100.249:88
[2848] 1494852874.110549: Terminating TCP connection to stream 10.0.100.249:88
[2848] 1494852874.285214: Response was not from master KDC
[2848] 1494852874.285346: Received error from KDC: -1765328359/Additional pre-authentication required
...

After installing the update, UDP is again tried first but this time kinit receives an immediate answer and the exchange remains on UDP:
$ apt-cache policy krb5-kdc
krb5-kdc:
  Installed: 1.15-1ubuntu0.1
  Candidate: 1.15-1ubuntu0.1
  Version table:
 *** 1.15-1ubuntu0.1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     1.15-1 500
        500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages

$ KRB5_TRACE=/dev/stdout  kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
[10150] 1494853325.393939: Getting initial credentials for ubuntu@EXAMPLE.ORG
[10150] 1494853325.395247: Looked up etypes in keytab: aes256-cts, aes128-cts
[10150] 1494853325.395665: Sending request (172 bytes) to EXAMPLE.ORG
[10150] 1494853325.395851: Resolving hostname 10.0.100.249
[10150] 1494853325.396225: Sending initial UDP request to dgram 10.0.100.249:88
[10150] 1494853325.398161: Received answer (254 bytes) from dgram 10.0.100.249:88
[10150] 1494853325.648728: Response was not from master KDC
[10150] 1494853325.648835: Received error from KDC: -1765328359/Additional pre-authentication required

Ubuntukrb5 package

Comment 5 for bug 1688121

Ubuntu
krb5 package