On Thu, Jun 24, 1999 at 02:17:10PM +0100, Matt Kern wrote: > Hi, Brian. > > > Phew! What a relief - now I don't have to do it ;-) > > If I fail I'll be sure to pass everything on to you :) Err... If I haven't already given up! I have found this irratating problem, with kerberos V - kinit doesn't work on a remote computer to the KDC, it only seems to work on the KDC. I have straced and tcpdumped it and everything looks fine at the program level, but the kernel rejects a valid(??) UDP packet for no good reason (that I can see). Anyone who knows UDP should be able to solve this... (I thought I did). Well, Anyway here is the problem: 1. After typing in the password into kinit, a message is sent to the KDC (following is from strace): send(5, ..., 157, 0) = 157 select(6, [5], NULL, NULL, {1, 0}) I believe the client is now patiently waiting for a response. 2. The server gets message and sends the reply. 3. The client computer returns an icmp packet (as seen by tcpdump), "port unreachable error". WHY???? Why doesn't return the same error when connecting to localhost? 4. The server gets and displays the error when it trys to receive the response. 5. The client times out and trys to retransmit again. 6. The server detects that the message has been replayed and issues replayed error messages. 7. 5 and 6 repeat until I push Ctrl+X at kinit. This is the log from KDC: Jun 26 20:23:15 snoopy krb5kdc[9691](info): AS_REQ 192.168.87.134(88): ISSUE: authtime 930392595, bam@CHOCBIT.ORG.AU for krbtgt/CHOCBIT.ORG.AU@CHOCBIT.ORG.AU krb5kdc: Connection refused - while receiving from network Jun 26 20:23:16 snoopy krb5kdc[9691](info): DISPATCH: replay found and re-transmitted krb5kdc: Connection refused - while receiving from network This is the tcpdump: 20:26:25.814454 dewey.chocbit.org.au.1942 > snoopy.apana.org.au.kerberos: v5 20:26:25.834454 snoopy.chocbit.org.au.kerberos > dewey.chocbit.org.au.1942: v5 20:26:25.834454 dewey.chocbit.org.au > snoopy.chocbit.org.au: icmp: dewey.chocbit.org.au udp port 1942 unreachable [tos 0xc0] 20:26:26.814454 dewey.chocbit.org.au.1943 > snoopy.apana.org.au.kerberos4: v5 20:26:26.824454 snoopy.chocbit.org.au.kerberos4 > dewey.chocbit.org.au.1943: v5 20:26:26.824454 dewey.chocbit.org.au > snoopy.chocbit.org.au: icmp: dewey.chocbit.org.au udp port 1943 unreachable [tos 0xc0] 20:26:27.824454 dewey.chocbit.org.au.1942 > snoopy.apana.org.au.kerberos: v5 20:26:27.834454 snoopy.chocbit.org.au.kerberos > dewey.chocbit.org.au.1942: v5 20:26:27.834454 dewey.chocbit.org.au > snoopy.chocbit.org.au: icmp: dewey.chocbit.org.au udp port 1942 unreachable [tos 0xc0] Arrgghh! this is driving me crazy - under what circumstances does the linux kernel bounce UDP packets with this error? Here is the strace of kinit that works (ie on localhost). Same code, etc socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 connect(4, {sin_family=AF_INET, sin_port=htons(88), sin_addr=inet_addr("202.12.87.129")}, 16) = 0 send(4, "j\201\3070\201\304\241\3\2\1\5\242"..., 202, 0) = 202 select(5, [4], NULL, NULL, {1, 0}) = 1 (in [4], left {0, 950000}) recv(4, "k\202\2h0\202\2d\240\3\2\1\5\241"..., 4096, 0) = 620 close(4) = 0 What is even more weird, was is the following: client server works? ------------------------------------- version4 version4 YES version4 version5 NO!!!! version5 version5 NO ie the problem at the client end only started when I upgraded the server!!!!!! I am afraid I cannot understand why??? Is the server sending something in the packet that the client doesn't understand? My server is Linux 2.2.6 and the client is 2.0.36. (UDP dead on the computer??? Maybe I should try rebooting... However DNS works fine.) Please tell me if I have missed any important information. > This is a well written page that manages to get across the mechanics > without giving the reader suicidal urges. Not true - that web page doesn't document this problem ;-). -- Brian May <bam@snoopy.apana.org.au>
Attachment:
pgp3hnhgaVR3k.pgp
Description: PGP signature