Red Hat Bugzilla – Full Text Bug Listing
|Summary:||sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP|
|Product:||[Fedora] Fedora||Reporter:||Daniel Piddock <dgp-bz>|
|Component:||sssd||Assignee:||Stephen Gallagher <sgallagh>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||14||CC:||jhrozek, sbose, sgallagh, ssorce, strr-redhat|
|Fixed In Version:||sssd-1.5.1-2.1.fc14||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-02-07 14:53:54 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Daniel Piddock 2010-11-24 09:15:09 EST
Description of problem: I was trying to get sssd krb5 working with service discovery. Watching network traffic I discovered sssd was doing a DNS query for SRV _KERBEROS._tcp.my.domain. I previously only had _udp entries so created the _tcp entries. Further dumps revealed that the krb5 backend then proceeds to talk UDP to the server anyway. Version-Release number of selected component (if applicable): sssd-1.4.1-1.fc14.i686 How reproducible: Always Steps to Reproduce: 1. Run wireshark 2. Login with sssd configured with krb5 backend and no krb5_kdcip set. Actual results: DNS SRV query for _KERBEROS._tcp.my.domain followed by talking UDP to the server. If the DNS record is not present the auth attempt fails with no server found. Expected results: Query for _KERBEROS._tcp and talk TCP, OR query for _KERBEROS._udp and talk UDP. Maybe using one as a fallback to the other.
Comment 1 Daniel Piddock 2010-11-24 09:31:42 EST
As an extension to this (should it be a new bug?) attempting to change password causes a DNS SRV query for _KPASSWD._tcp.my.domain. kpasswd (from Heimdal 1.2 we use) does not run over TCP. Specifying the server with krb5_kpasswd causes the communication to happen correctly over UDP.
Comment 2 Jakub Hrozek 2010-11-24 09:47:55 EST
I think that per RFC 4120, the proper way to configure the service records in DNS is to configure both _tcp and _udp records. In section 220.127.116.11, it says "If these SRV records are to be used, both "udp" and "tcp" records MUST be specified for all KDC deployments." But I agree that this behaviour is confusing. Perhaps we should search for UDP first and for TCP as a fallback.
Comment 3 Sumit Bose 2010-11-24 11:57:46 EST
I agree, we should extended the resolver code to allow fallbacks to UDP/TCP is requested. I have opened https://fedorahosted.org/sssd/ticket/691 to track this upstream.
Comment 6 Fedora Update System 2011-01-27 15:37:50 EST
sssd-1.5.1-2.1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14
Comment 7 Fedora Update System 2011-01-28 14:19:29 EST
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update sssd'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14
Comment 8 Fedora Update System 2011-02-07 14:53:44 EST
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.