Bug 1231886

Summary: kadmind should take the port for incremental propagation from portrelease
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: dpal, glamb, jplans, mkosek, nalin, rharwood, salmy, santony
Target Milestone: rcKeywords: EasyFix, FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.10.3-44.el6 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 01:01:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2015-06-15 14:36:13 UTC 
Description of problem:
When incremental propagation is configured kadmind can not bind to port 754 on master server because that is reserved by portreserve.
It would be nice if kadmind in its init script could release this port, similarly as it releases the port 749.
Note, that port 754 is released normaly by kpropd, but as kpropd and kadmind can not run in the same time, this would not conflict.

IMHO, the this could be fixed by just adding the following line into /etc/init.d/kadmin:
[ -x /sbin/portrelease ] && /sbin/portrelease krb5_prop &>/dev/null || :

Version-Release number of selected component (if applicable):
krb5-libs-1.10.3-42.el6

How reproducible:
always

Steps to Reproduce:
1. Configure incremental propagation:

# cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 SAFETY-INSPECTOR.SECTOR7G.NUCLEAR-POWER-PLANT.SPRINGSFIELD.NET = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  iprop_enable = true
  iprop_port = 754
 }

2. Start kadmind

# service portreserve status
portreserve (pid  24500) is running...
# service kadmin start
Starting Kerberos 5 Admin Server: [  OK  ]
#
# tail /var/log/kadmind.log
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): setting up network...
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): listening on fd 7: udp 0.0.0.0.464 (pktinfo)
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
kadmind: Invalid argument - Cannot request packet info for udp socket address :: port 464
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): skipping unrecognized local address family 17
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): skipping unrecognized local address family 17
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): listening on fd 8: udp fd16::5054:ff:fe91:2364.464
kadmind: setsockopt(9,IPV6_V6ONLY,1) worked
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): listening on fd 9: udp 2620:52:0:1040:5054:ff:fe91:2364.464
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): listening on fd 10: udp fe80::5054:ff:fe91:2364%eth0.464
kadmind: setsockopt(11,IPV6_V6ONLY,1) worked
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): listening on fd 12: tcp 0.0.0.0.464
Jun 15 10:34:02 ibm-p8-kvm-04-guest-01.rhts.eng.bos.redhat.com kadmind[24752](info): listening on fd 11: tcp ::.464
kadmind: Address already in use - Cannot bind server socket on 0.0.0.0.754

^^^^^^^^^^^^^^^^^^^^^^^^^^^^ NOTE THIS
Comment 5 errata-xmlrpc 2016-05-11 01:01:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0945.html