ping for kdc utility?

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

ping for kdc utility?

Wang Shouhua
Is there such an utility which can issue a "ping" (null command) to
the kdc to see if it is still responding?

Wang
--
Wang Shouhua - [hidden email]
中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Benjamin Kaduk-2
On Wed, 2 Apr 2014, Wang Shouhua wrote:

> Is there such an utility which can issue a "ping" (null command) to
> the kdc to see if it is still responding?

I'm not aware of a dedicated utility.  However, the KDC is basically a
stateless UDP service, so recording a live transaction and replaying an
input packet is expected to yield some sort of response packet.  Doing
this periodically allows for a very primitive "liveness check" which can
be used in some monitoring setups.  Of course, if one wants to monitor
that the KDC is actually functioning properly and not just spewing error
packets, more effort is required.

-Ben Kaduk
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Wang Shouhua
On 2 April 2014 21:46, Benjamin Kaduk <[hidden email]> wrote:

> On Wed, 2 Apr 2014, Wang Shouhua wrote:
>
>> Is there such an utility which can issue a "ping" (null command) to
>> the kdc to see if it is still responding?
>
>
> I'm not aware of a dedicated utility.  However, the KDC is basically a
> stateless UDP service, so recording a live transaction and replaying an
> input packet is expected to yield some sort of response packet.  Doing this
> periodically allows for a very primitive "liveness check" which can be used
> in some monitoring setups.  Of course, if one wants to monitor that the KDC
> is actually functioning properly and not just spewing error packets, more
> effort is required.
Does the Kerberos5 core protocol have a 'null' operation?

Wang
--
Wang Shouhua - [hidden email]
中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Chris Hecker
In reply to this post by Benjamin Kaduk-2

I use kadm5_get_privs as a ping for an admin perl script, see this thread:

http://mailman.mit.edu/pipermail/kerberos/2012-February/017811.html

Chris


On 2014-04-02 12:46, Benjamin Kaduk wrote:

> On Wed, 2 Apr 2014, Wang Shouhua wrote:
>
>> Is there such an utility which can issue a "ping" (null command) to
>> the kdc to see if it is still responding?
>
> I'm not aware of a dedicated utility.  However, the KDC is basically a
> stateless UDP service, so recording a live transaction and replaying an
> input packet is expected to yield some sort of response packet.  Doing
> this periodically allows for a very primitive "liveness check" which can
> be used in some monitoring setups.  Of course, if one wants to monitor
> that the KDC is actually functioning properly and not just spewing error
> packets, more effort is required.
>
> -Ben Kaduk
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Tom Yu
In reply to this post by Wang Shouhua
Wang Shouhua <[hidden email]> writes:

> On 2 April 2014 21:46, Benjamin Kaduk <[hidden email]> wrote:
>> On Wed, 2 Apr 2014, Wang Shouhua wrote:
>>
>>> Is there such an utility which can issue a "ping" (null command) to
>>> the kdc to see if it is still responding?
>>
>>
>> I'm not aware of a dedicated utility.  However, the KDC is basically a
>> stateless UDP service, so recording a live transaction and replaying an
>> input packet is expected to yield some sort of response packet.  Doing this
>> periodically allows for a very primitive "liveness check" which can be used
>> in some monitoring setups.  Of course, if one wants to monitor that the KDC
>> is actually functioning properly and not just spewing error packets, more
>> effort is required.
>
> Does the Kerberos5 core protocol have a 'null' operation?

It does not, unless you count correctly formatted yet invalid KDC-REQs
that can elicit KRB-ERROR messages.  If you don't count that, could
you describe why having a null operation is important for your
purposes?
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Brandon Allbery
In reply to this post by Chris Hecker
On Wed, 2014-04-02 at 12:57 -0700, Chris Hecker wrote:
> I use kadm5_get_privs as a ping for an admin perl script, see this thread:
>
> http://mailman.mit.edu/pipermail/kerberos/2012-February/017811.html

That does not test the KDC, it tests kadmind.

--
brandon s allbery kf8nh                           sine nomine associates
[hidden email]                              [hidden email]
unix, openafs, kerberos, infrastructure, xmonad    http://sinenomine.net


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Wang Shouhua
In reply to this post by Tom Yu
On 2 April 2014 22:01, Tom Yu <[hidden email]> wrote:

> Wang Shouhua <[hidden email]> writes:
>
>> On 2 April 2014 21:46, Benjamin Kaduk <[hidden email]> wrote:
>>> On Wed, 2 Apr 2014, Wang Shouhua wrote:
>>>
>>>> Is there such an utility which can issue a "ping" (null command) to
>>>> the kdc to see if it is still responding?
>>>
>>>
>>> I'm not aware of a dedicated utility.  However, the KDC is basically a
>>> stateless UDP service, so recording a live transaction and replaying an
>>> input packet is expected to yield some sort of response packet.  Doing this
>>> periodically allows for a very primitive "liveness check" which can be used
>>> in some monitoring setups.  Of course, if one wants to monitor that the KDC
>>> is actually functioning properly and not just spewing error packets, more
>>> effort is required.
>>
>> Does the Kerberos5 core protocol have a 'null' operation?
>
> It does not, unless you count correctly formatted yet invalid KDC-REQs
> that can elicit KRB-ERROR messages.  If you don't count that, could
> you describe why having a null operation is important for your
> purposes?
To see if the KDC is still 'alive and kicking'. Apparently some
students-as-admins here spend the night trying to find a problem in
our Kerberos setup the whole night and they are very exhausted. The
problem turned out to be a switch/firewall problem which caused the
KDC to stop processing requests after some time, something which could
have been diagnosed much earlier using a dedicated utility.

Wang
--
Wang Shouhua - [hidden email]
中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Russ Allbery-2
Wang Shouhua <[hidden email]> writes:

> To see if the KDC is still 'alive and kicking'. Apparently some
> students-as-admins here spend the night trying to find a problem in our
> Kerberos setup the whole night and they are very exhausted. The problem
> turned out to be a switch/firewall problem which caused the KDC to stop
> processing requests after some time, something which could have been
> diagnosed much earlier using a dedicated utility.

I would just authenticate using a keytab and ensure that you can get
tickets.  Here's the script we use for that purpose.  Note that this is
something of a hack and does things like use predictable files in /tmp by
default, so use with caution.  It uses k5start, but you could easily
modify it to use kinit instead.

#!/usr/bin/perl
#
# kdc-check -- Check a Kerberos KDC for correct operation.
#
# Written by R.L. "Bob" Morgan
# Updated by Russ Allbery <[hidden email]>
# Copyright 1994, 2003, 2011
#     The Board of Trustees of the Leland Stanford Junior University

##############################################################################
# Site configuration
##############################################################################

# The location of Kerberos v5 files and programs.  The keytab locaction should
# contain host/<hostname> and the k5start program must support -q, -f, and -u.
our $KRB5_CONF  = '/etc/krb5.conf';
our $KRB_KEYTAB = '/etc/krb5.keytab';
our $K5START    = '/usr/bin/k5start';

# Path to klist that supports the -5 option.
our $KLIST      = '/usr/bin/klist';

##############################################################################
# Modules and declarations
##############################################################################

require 5.003;

use strict;

use Getopt::Long qw(GetOptions);
use Fcntl qw(O_CREAT O_EXCL O_WRONLY);
use Net::Domain qw(hostfqdn);
use Sys::Hostname qw(hostname);

our $USAGE = <<'EOU';
Usage: kdc-check [-5dv] [-c <conf>] [-f <keytab>] [-p <user>] [-r <realm>]
                 [-s <server>]

Checks a Kerberos server by attempting to obtain a ticket.  By default, it
obtains a TGT for host/<hostname> for the local fully qualified system
name, using the keytab in /etc/krb5.keytab and the Kerberos KDCs defined
in the default krb5.conf.

Options:

  -5            Ignored for backward compatibility
  -c <conf>     Use <conf> instead of the default krb5.conf
  -d            Enable debugging (don't delete temporary files)
  -f <keytab>   Use <keytab> instead of /etc/krb5.keytab
  -p <user>     Obtain tickets for <user> instead of host/<hostname>
  -r <realm>    Use the realm <realm>, requires -s be given
  -s <server>   Use the KDC <server>, writing out a temporary krb5.conf
  -v            Be verbose

Exit status:

  0     if server is up and returns proper response
  1     otherwise

EOU
#'# for cperl-mode

##############################################################################
# Kerberos handling
##############################################################################

# Create a temporary file name and return it.  This is a really bad function
# for this and should be replaced with a standard tmp file creation call.
sub tmp_file_name {
    my $program = $0;
    $program =~ s%.*/%%;
    my $tmp = $ENV{TMPDIR} || '/tmp';
    return "$tmp/$program.$$";
}

# Create a krb5.conf file limited to the particular server.  Takes the realm
# name, the server, and optionally the file name into which to put the new
# krb5.conf file, and returns the file name used.  Ideally more of the
# libdefaults section should come from the current configuration file.
sub create_krb5_conf {
    my ($realm, $server, $file) = @_;
    $file = tmp_file_name unless $file;
    sysopen (CONF, $file, O_WRONLY | O_CREAT | O_EXCL)
        or die "$0: cannot create $file: $!\n";
    print CONF <<"EOC";
[libdefaults]
    default_realm   = $realm
    ticket_lifetime = 25hrs

[realms]
    $realm = {
        kdc         = $server:88
    }
EOC
    close CONF or die "$0: cannot flush $file: $!\n";
    return $file;
}

# Given the path to the krb5.conf file, determine the default realm name and
# return it.
sub get_realm {
    my ($conf) = @_;
    open (CONF, $conf) or die "$0: cannot open $conf: $!\n";
    my $realm;
    while (<CONF>) {
        if (/^\s*default_realm\s*=\s*(\S+)/) {
            $realm = $1;
            last;
        }
    }
    return $realm;
}

# Obtain a ticket using k5start.  Takes the ticket file into which it should
# be put, the path to the keytab file, the principal, and a flag saying
# whether to be verbose.  Returns true on success, false on failure.
sub get_ticket {
    my ($cache, $srvtab, $principal, $verbose) = @_;
    unlink $cache;
    $ENV{KRB5CCNAME} = $cache;
    die "$0: unsafe ticket cache name: $cache\n" if $cache =~ /[\'\\\s]/;
    my @args = ('-f', $srvtab, '-u', $principal);
    unshift (@args, '-q') unless $verbose;
    return (system ($K5START, @args) == 0);
}

# Check a Kerberos ticket cache to make sure that it contains the right
# principal.  Takes the cache to check and the principal we're looking for and
# runs klist on the file.
sub check_ticket {
    my ($cache, $principal) = @_;
    my $output = `$KLIST -5 '$cache'`;
    return ($output =~ /\nDefault principal: $principal(\@|\s)/);
}

##############################################################################
# Implementation
##############################################################################

# Trim $0 for error messages.
my $fullname = $0;
$0 =~ s%.*/%%;

# Parse the command line options.
my ($config, $debug, $dummy, $principal, $realm, $server, $keytab,
    $verbose, $help, $version);
Getopt::Long::Configure ('bundling');
GetOptions ('5|krb5'        => \$dummy,
            'c|config=s'    => \$config,
            'd|debug'       => \$debug,
            'f|keytab=s'    => \$keytab,
            'h|help'        => \$help,
            'p|principal=s' => \$principal,
            'r|realm=s'     => \$realm,
            's|server=s'    => \$server,
            'v|verbose'     => \$verbose) or exit 1;

# Act on some standard options.
if ($help) {
    print $USAGE;
    exit 0;
}

# Determine the principal and keytab.
my $hostname = hostfqdn;
$principal = 'host/' . $hostname unless $principal;
$keytab = $KRB_KEYTAB unless $keytab;

# Check the command-line options for consistency and set some defaults.
die "$0: -c cannot be given if -s is given\n" if $config && $server;
die "$0: -r <realm> requires -s <server>\n" if $realm && !$server;
$verbose = 1 if $debug;
if ($server && !$realm) {
    $realm = get_realm ($KRB5_CONF)
        or die "$0: cannot obtain Kerberos realm from $KRB5_CONF\n";
}
$config = create_krb5_conf ($realm, $server) if $server;
$ENV{KRB5_CONFIG} = $config if $config;
my $cache = ($ENV{TMPDIR} || '/tmp') . "/kdc-check.tk$$";

# Print out debugging information if desired.
if ($debug) {
    print "server       = $server\n";
    print "realm        = $realm\n";
    print "principal    = $principal\n";
    print "keytab       = $keytab\n";
    print "cache        = $cache\n";
    print "config       = $config\n";
    print "\nWill run the command:\n\n";
    print "    $K5START " . ($verbose ? '' : "-q ")
        . "-f $keytab -u $principal\n\n";
}

# Now, do the actual work.
my $status;
$status = get_ticket ($cache, $keytab, $principal, $verbose);
$status = check_ticket ($cache, $principal) if $status;
unless ($debug) {
    unlink $cache;
    unlink $config if $server;
}
exit ($status ? 0 : 1);

##############################################################################
# Documentation
##############################################################################

=head1 NAME

kdc-check - Check a Kerberos KDC for correct operation

=head1 SYNOPSIS

B<kdc-check> [B<-5dhv>] [B<--version>] [B<-c> I<config>] [B<-f> I<srvtab>]
    S<[B<-p> I<principal>]> [B<-r> I<realm>] [B<-s> I<server>]

=head1 DESCRIPTION

B<kdc-check> checks the operation of a Kerberos KDC by attempting to
obtain a ticket from it.  It depends on B<k5start> to actually obtain the
ticket. Use the "kstart" Debian package.

It obtains the default realm from F</etc/krb5.conf> and then attempts to
obtain a Kerberos TGT for host/<hostname> in that realm using
F</etc/krb5.keytab>, where <hostname> is the fully-qualified name of the
local system.  Various options can change that behavior.

B<kdc-check> exits with status 0 if the KDC hands back the appropriate
ticket, and with status 1 otherwise.

=head1 OPTIONS

=over 4

=item B<-5>, B<--krb5>

Ignored for backward compatibility.

=item B<-c> I<config>, B<--config>=I<config>

Use I<config> as the krb5.conf file rather than F</etc/krb5.conf>.  This
option cannot be used in combination with the B<-s> option.  It sets the
environment variable KRB5_CONFIG to point the Kerberos libraries at a
different configuration file.

=item B<-d>, B<--debug>

Do not delete the temporary files and print out the values of all internal
variables.  This flag implies B<-v>.

=item B<-f> I<keytab>, B<--keytab>=I<keytab>

Use I<keytab> as the keytab for authentication rather than the default of
F</etc/krb5.keytab>.

=item B<-h>, B<--help>

Print out usage information.

=item B<-p> I<principal>, B<--principal>=I<principal>

Authenticate as I<principal> rather than as the default of host/<host>
where <host> is the fully-qualified local hostname.

=item B<-r> I<realm>, B<--realm>=I<realm>

Obtain a ticket in I<realm> rather than the default Kerberos realm (as
determined by looking in F</etc/krb5.conf>).  This option can only be used
in combination with B<-s>.

=item B<-s> I<server>, B<--server>=I<server>

Obtain tickets specifically from I<server> rather than using the system
default krb5.conf.  This is done by writing out a one-time krb5.conf file
and then setting the environment variable KRB5_CONFIG to point to it.  The
realm can be specified with B<-r>, and if not specified is taken from the
system krb5.conf.  This option cannot be used with B<-c> (for obvious
reasons).

=item B<-v>, B<--verbose>

Do not pass the B<-q> flag to B<k5start>, allowing B<k5start> to be more
verbose about what it's doing.  This flag is implied by B<-d>.

=back

=head1 EXAMPLES

Check default operations by obtaining a TGT for host/<host> using
F</etc/krb5.keytab> from whatever servers are listed in the system default
krb5.conf file (F</etc/krb5.conf>):

    kdc-check

Specifically test that kerberos1.stanford.edu returns a TGT for the
stanford.edu realm, using the default principal and keytab:

    kdc-check -s kerberos1.stanford.edu -r stanford.edu

Test that kerberos1.stanford.edu returns a TGT for the default realm, as
determined from the system krb5.conf file (F</etc/krb5.conf>), for the
principal service/monitoring, using the keytab in
F</etc/keytabs/service.monitoring> for authentication.

    kdc-check -s kerberos1.stanford.edu -p service/monitoring \
        -f /etc/keytabs/service.monitoring

=head1 SEE ALSO

k5start(1)

=head1 AUTHORS

Original version written by R.L. "Bob" Morgan.  Updated and reorganized by
Russ Allbery <[hidden email]>, who also added Kerberos v5 support.

=cut

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Chris Hecker
In reply to this post by Brandon Allbery
Ah. Right, sorry!

Chris
 On Apr 2, 2014 1:08 PM, "Brandon Allbery" <[hidden email]> wrote:

> On Wed, 2014-04-02 at 12:57 -0700, Chris Hecker wrote:
> > I use kadm5_get_privs as a ping for an admin perl script, see this
> thread:
> >
> > http://mailman.mit.edu/pipermail/kerberos/2012-February/017811.html
>
> That does not test the KDC, it tests kadmind.
>
> --
> brandon s allbery kf8nh                           sine nomine associates
> [hidden email]                              [hidden email]
> unix, openafs, kerberos, infrastructure, xmonad    http://sinenomine.net
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Nico Williams
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Thomas Kula
In reply to this post by Wang Shouhua
On Wed, Apr 02, 2014 at 09:19:00PM +0200, Wang Shouhua wrote:
> Is there such an utility which can issue a "ping" (null command) to
> the kdc to see if it is still responding?
>


The last time I was responsible for such a thing, I wrote a script that
did the following:

- Using a keytab, change the password of a test principal to a known
  random string.
- Wait some minimally acceptable replication delay interval.
- Using a specially crafted krb5.conf file for each kdc (disable dns
  lookups, the only kdc listed in each conf file was the kdc I was
  testing), try to get a ticket for the test principal using that known
  random string.

This verified that enough of the master KDC was working to change
passwords, that the changed password was making it to each KDC, and that
each KDC could deliver at least a TGT.

I believe I used one of the Perl kerberos libraries --- Perl isn't my
first choice of scripting languages, but it had all the things I needed
and wasn't C. For all I know, this may still be running at my last job.
It used to be in a publically accessable CVSweb repo, but apparently
that's no longer working....

I did run into a problem at some point, either rolling over the KVNO on
the test principal, or it getting large enough that something making a
stupid assumption broke; I don't remember which. Deleting and
re-creating the principal fixed that.


--
Thomas L. Kula | [hidden email] | http://kula.tproa.net/
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Elia Pinto
In reply to this post by Wang Shouhua
I am written a script for this. I can share if interested.

Best regards
Il 02/apr/2014 21:24 "Wang Shouhua" <[hidden email]> ha scritto:

> Is there such an utility which can issue a "ping" (null command) to
> the kdc to see if it is still responding?
>
> Wang
> --
> Wang Shouhua - [hidden email]
> 中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: ping for kdc utility?

Andrea Campi
I use something based on https://github.com/mhorowitz/pykrb5 , wrapped with
gevent.
That makes it easy to continuously monitor hundreds of KDCs with very low
CPU use.

I would advise doing a TGS request rather than AS as that makes it is to
filter these out of your logs. Just create kdcping/hostname principals :)


On Thu, Apr 3, 2014 at 7:29 AM, Elia Pinto <[hidden email]> wrote:

> I am written a script for this. I can share if interested.
>
> Best regards
> Il 02/apr/2014 21:24 "Wang Shouhua" <[hidden email]> ha scritto:
>
> > Is there such an utility which can issue a "ping" (null command) to
> > the kdc to see if it is still responding?
> >
> > Wang
> > --
> > Wang Shouhua - [hidden email]
> > 中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN
> >
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos