[krbdev.mit.edu #8580] kinit fails for OTP users when using KdcProxy with both IPv4&6 DNS

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[krbdev.mit.edu #8580] kinit fails for OTP users when using KdcProxy with both IPv4&6 DNS

Greg Hudson via RT
For TCP connections (without a proxy), if the KDC accepts the
connection, we wait ten seconds before falling back to a different
server.  Our intent was that this logic should also apply to TCP
connections using a proxy, but it doesn't (because
sendto_kdc.c:get_endtime() ignores connection state objects where state-
>addr.transport != TCP).  We can't fix that.

(For UDP, we have to retry pretty quickly because, unlike TCP, we get no
indication that the KDC is alive and listening and got our request until
it generates a response.  So UDP is incompatible with this kind of OTP
deployment and there isn't really a good way around it without extending
the protocol.)
_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [krbdev.mit.edu #8580] kinit fails for OTP users when using KdcProxy with both IPv4&6 DNS

Greg Hudson via RT

Hello Greg,

"Greg Hudson via RT" <[hidden email]> writes:

> For TCP connections (without a proxy), if the KDC accepts the
> connection, we wait ten seconds before falling back to a different
> server.  Our intent was that this logic should also apply to TCP
> connections using a proxy, but it doesn't (because
> sendto_kdc.c:get_endtime() ignores connection state objects where state-
>>addr.transport != TCP).

That was what I hoped for, but, unfortunatly:

> We can't fix that.

I've seen that HTTPS seems somewhat bolted on to the TCP transport, so I
hoped to get something similar going.

> (For UDP, we have to retry pretty quickly because, unlike TCP, we get no
> indication that the KDC is alive and listening and got our request until
> it generates a response.  So UDP is incompatible with this kind of OTP
> deployment and there isn't really a good way around it without extending
> the protocol.)

Do you see some solution on the horizon? If not, feel free to close the
ticket with "CANTFIX" or "WONTFIX". I'll try to find a configuration to
work around the limitations for me.

Thanks for your quick response.

Jochen

--
This space is intentionally left blank.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [krbdev.mit.edu #8580] kinit fails for OTP users when using KdcProxy with both IPv4&6 DNS

Greg Hudson via RT
In reply to this post by Greg Hudson via RT
"Greg Hudson via RT" <[hidden email]> writes:

> Oops, sorry for the typo--I meant to write "We can fix that."  In fact,
> I think it's a pretty trivial fix.  I will submit a PR for it soon.

That's even better!  Thanks again

Jochen

--
This space is intentionally left blank.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Loading...