AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested

Christoph Weizen
Hi list,

kinit (krb5 1.4.2) on an AIX 5.3 gives me
# /usr/local/bin/kinit -k -t foobar.keytab
foobar/[hidden email]
kinit(v5): Cannot resolve network address for KDC in requested realm
while getting initial credentials

 From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf
and foobar.keytab to AIX 5.3. The following steps don't defer to the
steps I did under Linux.

# ./configure --without-krb4 --enable-shared
# make && make install

Using gcc 3.3.2.
I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far
as I see it is fixed in 1.4.2.

My krb5.conf looks like this:
[libdefaults]
         default_realm = EXAMPLE.NET
         clockskew = 300

[realms]
         EXAMPLE.NET = {
                 kdc = foo.example.net:88
                 admin_server = foo.example.net:749
                 default_domain = example.net
                 kpasswd_server = foo.example.net
         }

[domain_realm]
         .example.net = EXAMPLE.NET
         example.net = EXAMPLE.NET

[logging]
         default = SYSLOG:NOTICE:DAEMON
         kdc = FILE:/var/log/kdc.log
         kadmind = FILE:/var/log/kadmind.log

[appdefaults]
         pam = {
                 ticket_lifetime = 1d
                 renew_lifetime = 1d
                 forwardable = true
                 proxiable = false
                 retain_after_close = false
                 minimum_uid = 0
                 debug = false
         }

Trying to analyze with tcpdump I see that DNS query A, AAAA, AAAA with
double of my domainname - and then again from the beginning.
A record is answered correctly, AAAA can't (no ipv6).

13:00:09.595177 10.20.30.56.41629 > bar.example.net.domain: [udp sum ok]
  65423+ A? foo.example.net. (34) (ttl 30, id 30399, len 62)
13:00:09.595729 bar.example.net.domain > 10.20.30.56.41629: [udp sum ok]
  65423* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net
ns: example.net. NS bar.example.net., example.net. NS bar2.example.net.
ar: bar.example.net. A bar.example.net, bar2.example.net. A
bar2.example.net (128) (ttl 30, id 35101, len 156)
13:00:09.597500 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]
  65424+ AAAA? foo.example.net. (34) (ttl 30, id 30400, len 62)
13:00:09.597886 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]
  65424* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)
(ttl 30, id 35102, len 115)
13:00:09.597928 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]
  65425+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30401, len 70)
13:00:09.598273 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]
  65425 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
259200 86400 (95) (ttl 30, id 35103, len 123)
13:00:09.600003 10.20.30.56.41631 > bar.example.net.domain: [udp sum ok]
  65426+ A? foo.example.net. (34) (ttl 30, id 30402, len 62)
13:00:09.600473 bar.example.net.domain > 10.20.30.56.41631: [udp sum ok]
  65426* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net
ns: example.net. NS bar2.example.net., example.net. NS bar.example.net.
ar: bar.example.net. A bar.example.net, bar2.example.net. A
bar2.example.net (128) (ttl 30, id 35104, len 156)
13:00:09.602076 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]
  65427+ AAAA? foo.example.net. (34) (ttl 30, id 30403, len 62)
13:00:09.602478 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]
  65427* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)
(ttl 30, id 35105, len 115)
13:00:09.602520 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]
  65428+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30404, len 70)
13:00:09.602894 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]
  65428 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
259200 86400 (95) (ttl 30, id 35106, len 123)

Upto here, Linux contacts my KDC, AIX 5.3 not. "Cannot resolve network
address for KDC..."

Did I miss something?

cheers,
Christoph
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

Donn Cave
In article <dkqtao$ur0$05$[hidden email]>,
 Christoph Weizen <[hidden email]> wrote:

> kinit (krb5 1.4.2) on an AIX 5.3 gives me
> # /usr/local/bin/kinit -k -t foobar.keytab
> foobar/[hidden email]
> kinit(v5): Cannot resolve network address for KDC in requested realm
> while getting initial credentials
>
>  From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf
> and foobar.keytab to AIX 5.3. The following steps don't defer to the
> steps I did under Linux.
>
> # ./configure --without-krb4 --enable-shared
> # make && make install
>
> Using gcc 3.3.2.
> I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far
> as I see it is fixed in 1.4.2.

I don't know what's in that patch.  Does it look like you
already have applied something like this?

   Donn Cave, [hidden email]
-----------------------------------
*** include/fake-addrinfo.h.dist        Wed Jun  1 12:24:32 2005
--- include/fake-addrinfo.h     Fri Aug 12 09:10:48 2005
***************
*** 1193,1199 ****
         a known service name for tcp or udp (as appropriate), an error
         code (for "host not found") is returned.  If the port maps to a
         known service for both udp and tcp, all is well.  */
!     if (serv && serv[0] && isdigit(serv[0])) {
        unsigned long lport;
        char *end;
        lport = strtoul(serv, &end, 10);
--- 1193,1208 ----
         a known service name for tcp or udp (as appropriate), an error
         code (for "host not found") is returned.  If the port maps to a
         known service for both udp and tcp, all is well.  */
!     /*
!     **
!     **  However, where AI_NUNERICSERV is defined (AIX 5) and was
specified,
!     **  this is unneeded and and broken - "discard" is not numeric.
!     */
!     if (serv && serv[0]
! #ifdef AI_NUMERICSERV
!              && !(hint->ai_flags & AI_NUMERICSERV)
! #endif
!              && isdigit(serv[0])) {
        unsigned long lport;
        char *end;
        lport = strtoul(serv, &end, 10);
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

Lamar.Saxon

Christopher,

        I had the exact same problem.  I was given 2 patches for KRB
1.4.1 and it fixed the problem.  I applied the patches to my 1.4.2
source and the problem is resolved there too.  Here are the patches:

DNSGLUE.C Patch:

*** ./src/lib/krb5/os/dnsglue.c.orig    Fri Jan 14 17:10:53 2005
--- ./src/lib/krb5/os/dnsglue.c Thu May  5 11:39:52 2005
***************
*** 62,68 ****
--- 62,76 ----
                 char *host, int nclass, int ntype)
   {
   #if HAVE_RES_NSEARCH
+ #ifndef LANL
       struct __res_state statbuf;
+ #else   /* LANL */
+ #ifndef _AIX
+     struct __res_state statbuf;
+ #else   /* _AIX */
+     struct { struct __res_state s; char pad[1024]; } statbuf;
+ #endif  /* AIX */
+ #endif  /* LANL */
   #endif
       struct krb5int_dns_state *ds;
       int len, ret;

LOCATE_KDC.C Patch:

>*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May  5 08:06:45 2005
>--- ./src/lib/krb5/os/locate_kdc.c      Thu May  5 11:34:27 2005
>***************
>*** 267,275 ****
>--- 267,283 ----
>       memset(&hint, 0, sizeof(hint));
>       hint.ai_family = family;
>       hint.ai_socktype = socktype;
>+ #ifndef LANL
>   #ifdef AI_NUMERICSERV
>       hint.ai_flags = AI_NUMERICSERV;
>   #endif
>+ #else   /* LANL */
>+ #ifndef _AIX
>+ #ifdef AI_NUMERICSERV
>+     hint.ai_flags = AI_NUMERICSERV;
>+ #endif
>+ #endif  /* _AIX */
>+ #endif  /* LANL */
>       sprintf(portbuf, "%d", ntohs(port));
>       sprintf(secportbuf, "%d", ntohs(secport));
>       err = getaddrinfo (hostname, portbuf, &hint, &addrs);

Credit goes to Milton Turley <[hidden email]> for the patches and
assistance...

Let me know if it works for you...

Lamar

------------------------------------------------------------------------
-----------------------

Date: Tue, 08 Nov 2005 20:12:27 +0100
From: Christoph Weizen <[hidden email]>
To: [hidden email]
Subject: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in
        requested
Message-ID: <dkqtao$ur0$05$[hidden email]>
Precedence: list
Message: 1

Hi list,

kinit (krb5 1.4.2) on an AIX 5.3 gives me
# /usr/local/bin/kinit -k -t foobar.keytab
foobar/[hidden email]
kinit(v5): Cannot resolve network address for KDC in requested realm
while getting initial credentials

 From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf
and foobar.keytab to AIX 5.3. The following steps don't defer to the
steps I did under Linux.

# ./configure --without-krb4 --enable-shared
# make && make install

Using gcc 3.3.2.
I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far
as I see it is fixed in 1.4.2.

My krb5.conf looks like this:
[libdefaults]
         default_realm = EXAMPLE.NET
         clockskew = 300

[realms]
         EXAMPLE.NET = {
                 kdc = foo.example.net:88
                 admin_server = foo.example.net:749
                 default_domain = example.net
                 kpasswd_server = foo.example.net
         }

[domain_realm]
         .example.net = EXAMPLE.NET
         example.net = EXAMPLE.NET

[logging]
         default = SYSLOG:NOTICE:DAEMON
         kdc = FILE:/var/log/kdc.log
         kadmind = FILE:/var/log/kadmind.log

[appdefaults]
         pam = {
                 ticket_lifetime = 1d
                 renew_lifetime = 1d
                 forwardable = true
                 proxiable = false
                 retain_after_close = false
                 minimum_uid = 0
                 debug = false
         }

Trying to analyze with tcpdump I see that DNS query A, AAAA, AAAA with
double of my domainname - and then again from the beginning.
A record is answered correctly, AAAA can't (no ipv6).

13:00:09.595177 10.20.30.56.41629 > bar.example.net.domain: [udp sum ok]

  65423+ A? foo.example.net. (34) (ttl 30, id 30399, len 62)
13:00:09.595729 bar.example.net.domain > 10.20.30.56.41629: [udp sum ok]

  65423* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net

ns: example.net. NS bar.example.net., example.net. NS bar2.example.net.
ar: bar.example.net. A bar.example.net, bar2.example.net. A
bar2.example.net (128) (ttl 30, id 35101, len 156)
13:00:09.597500 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]

  65424+ AAAA? foo.example.net. (34) (ttl 30, id 30400, len 62)
13:00:09.597886 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]

  65424* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)

(ttl 30, id 35102, len 115)
13:00:09.597928 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]

  65425+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30401, len
70)
13:00:09.598273 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]

  65425 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
259200 86400 (95) (ttl 30, id 35103, len 123)
13:00:09.600003 10.20.30.56.41631 > bar.example.net.domain: [udp sum ok]

  65426+ A? foo.example.net. (34) (ttl 30, id 30402, len 62)
13:00:09.600473 bar.example.net.domain > 10.20.30.56.41631: [udp sum ok]

  65426* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net

ns: example.net. NS bar2.example.net., example.net. NS bar.example.net.
ar: bar.example.net. A bar.example.net, bar2.example.net. A
bar2.example.net (128) (ttl 30, id 35104, len 156)
13:00:09.602076 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]

  65427+ AAAA? foo.example.net. (34) (ttl 30, id 30403, len 62)
13:00:09.602478 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]

  65427* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)

(ttl 30, id 35105, len 115)
13:00:09.602520 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]

  65428+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30404, len
70)
13:00:09.602894 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]

  65428 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
259200 86400 (95) (ttl 30, id 35106, len 123)

Upto here, Linux contacts my KDC, AIX 5.3 not. "Cannot resolve network
address for KDC..."

Did I miss something?

cheers,
Christoph

Privileged and Confidential.  This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information.  If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail.  You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in

Christoph Weizen
Hi Lamar,

I applied the two patches, and it works - thanks a lot!
Donn Cave send a similar working patch: ;)

    Donn Cave, [hidden email]
-----------------------------------
*** include/fake-addrinfo.h.dist        Wed Jun  1 12:24:32 2005
--- include/fake-addrinfo.h     Fri Aug 12 09:10:48 2005
***************
*** 1193,1199 ****
          a known service name for tcp or udp (as appropriate), an error
          code (for "host not found") is returned.  If the port maps to a
          known service for both udp and tcp, all is well.  */
!     if (serv && serv[0] && isdigit(serv[0])) {
         unsigned long lport;
         char *end;
         lport = strtoul(serv, &end, 10);
--- 1193,1208 ----
          a known service name for tcp or udp (as appropriate), an error
          code (for "host not found") is returned.  If the port maps to a
          known service for both udp and tcp, all is well.  */
!     /*
!     **
!     **  However, where AI_NUNERICSERV is defined (AIX 5) and was
specified,
!     **  this is unneeded and and broken - "discard" is not numeric.
!     */
!     if (serv && serv[0]
! #ifdef AI_NUMERICSERV
!              && !(hint->ai_flags & AI_NUMERICSERV)
! #endif
!              && isdigit(serv[0])) {
         unsigned long lport;
         char *end;
         lport = strtoul(serv, &end, 10);

cheers,
Christoph

[hidden email] wrote:

> Christopher,
>
> I had the exact same problem.  I was given 2 patches for KRB
> 1.4.1 and it fixed the problem.  I applied the patches to my 1.4.2
> source and the problem is resolved there too.  Here are the patches:
>
> DNSGLUE.C Patch:
>
> *** ./src/lib/krb5/os/dnsglue.c.orig    Fri Jan 14 17:10:53 2005
> --- ./src/lib/krb5/os/dnsglue.c Thu May  5 11:39:52 2005
> ***************
> *** 62,68 ****
> --- 62,76 ----
>                  char *host, int nclass, int ntype)
>    {
>    #if HAVE_RES_NSEARCH
> + #ifndef LANL
>        struct __res_state statbuf;
> + #else   /* LANL */
> + #ifndef _AIX
> +     struct __res_state statbuf;
> + #else   /* _AIX */
> +     struct { struct __res_state s; char pad[1024]; } statbuf;
> + #endif  /* AIX */
> + #endif  /* LANL */
>    #endif
>        struct krb5int_dns_state *ds;
>        int len, ret;
>
> LOCATE_KDC.C Patch:
>
>
>>*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May  5 08:06:45 2005
>>--- ./src/lib/krb5/os/locate_kdc.c      Thu May  5 11:34:27 2005
>>***************
>>*** 267,275 ****
>>--- 267,283 ----
>>      memset(&hint, 0, sizeof(hint));
>>      hint.ai_family = family;
>>      hint.ai_socktype = socktype;
>>+ #ifndef LANL
>>  #ifdef AI_NUMERICSERV
>>      hint.ai_flags = AI_NUMERICSERV;
>>  #endif
>>+ #else   /* LANL */
>>+ #ifndef _AIX
>>+ #ifdef AI_NUMERICSERV
>>+     hint.ai_flags = AI_NUMERICSERV;
>>+ #endif
>>+ #endif  /* _AIX */
>>+ #endif  /* LANL */
>>      sprintf(portbuf, "%d", ntohs(port));
>>      sprintf(secportbuf, "%d", ntohs(secport));
>>      err = getaddrinfo (hostname, portbuf, &hint, &addrs);
>
>
> Credit goes to Milton Turley <[hidden email]> for the patches and
> assistance...
>
> Let me know if it works for you...
>
> Lamar
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos