What is kinit waiting for?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

What is kinit waiting for?

Weijun Wang
I just write a tiny KDC for testing purpose and run kinit on it.

$ kinit foo
[12207] 1450082323.957803: Getting initial credentials for foo@R
[12207] 1450082323.958526: Sending request (147 bytes) to R
[12207] 1450082323.958639: Resolving hostname 127.0.0.1
[12207] 1450082323.959392: Sending initial UDP request to dgram 127.0.0.1:9090
[12207] 1450082324.188447: Received answer (645 bytes) from dgram 127.0.0.1:9090
[12207] 1450082384.195594: Response was not from master KDC
[12207] 1450082384.195756: Processing preauth types: 19
[12207] 1450082384.195807: Selected etype info: etype aes256-cts-sha384, salt "Rfoo", params ""
[12207] 1450082384.195831: Produced preauth for next request: (empty)
[12207] 1450082384.195841: Getting AS key, salt "Rfoo", params ""
Password for foo@R:
[12207] 1450082387.600164: AS key obtained from gak_fct: aes256-cts-sha384/EC01
[12207] 1450082387.600252: Decrypted AS reply; session key is: aes256-cts/B712
[12207] 1450082387.600257: FAST negotiation: unavailable
[12207] 1450082387.600279: Initializing FILE:/tmp/krb5cc_K1 with default princ foo@R
[12207] 1450082387.600564: Storing foo@R -> krbtgt/R@R in FILE:/tmp/krb5cc_K1
Warning: Your password will expire in 23 hours on Tue Dec 15 16:38:44 2015

As you can see, after "Received answer (645 bytes) from dgram 127.0.0.1:9090", the tool waited for another 1 minute and printed out "Response was not from master KDC". What does this mean? The krb5.conf is simply

[libdefaults]
default_realm = R
forwardable = true

[realms]
R = {
    kdc = 127.0.0.1:9090
}

The KDC does not understand any PREAUTH header. Could that be the reason?

Thanks
Max
 
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: What is kinit waiting for?

Greg Hudson
On 12/14/2015 03:50 AM, Wang Weijun wrote:
> [12207] 1450082324.188447: Received answer (645 bytes) from dgram 127.0.0.1:9090
> [12207] 1450082384.195594: Response was not from master KDC

> As you can see, after "Received answer (645 bytes) from dgram 127.0.0.1:9090", the tool waited for another 1 minute and printed out "Response was not from master KDC". What does this mean? The krb5.conf is simply

> [realms]
> R = {
>     kdc = 127.0.0.1:9090
> }

Most likely kinit is performing a SRV query to find out if the response
was from a master KDC, and it is timing out.  There are two known
problems at play here:

    http://krbdev.mit.edu/rt/Ticket/Display.html?id=7721
    http://krbdev.mit.edu/rt/Ticket/Display.html?id=6782

You can suppress the SRV query by defining a master_kdc value in the
realm configuration (there is, unfortunately, no way to say "there are
no master KDCs" at present) or by setting dns_lookup_kdc = false in
[libdefaults].
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: What is kinit waiting for?

Weijun Wang

> On Dec 14, 2015, at 11:39 PM, Greg Hudson <[hidden email]> wrote:
>
> You can suppress the SRV query by defining a master_kdc value in the
> realm configuration (there is, unfortunately, no way to say "there are
> no master KDCs" at present) or by setting dns_lookup_kdc = false in
> [libdefaults].

I set "dns_lookup_kdc = false" and it works.

Thanks
Max

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev