Bug 656906

Summary: sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP
Product: [Fedora] Fedora Reporter: Daniel Piddock <dgp-bz>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 14CC: jhrozek, sbose, sgallagh, ssorce, strr-redhat
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: sssd-1.5.1-2.1.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-07 14:53:54 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Daniel Piddock 2010-11-24 09:15:09 EST
Description of problem:
I was trying to get sssd krb5 working with service discovery. Watching network traffic I discovered sssd was doing a DNS query for SRV _KERBEROS._tcp.my.domain. I previously only had _udp entries so created the _tcp entries. Further dumps revealed that the krb5 backend then proceeds to talk UDP to the server anyway.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run wireshark
2. Login with sssd configured with krb5 backend and no krb5_kdcip set.

Actual results:
DNS SRV query for _KERBEROS._tcp.my.domain followed by talking UDP to the server. If the DNS record is not present the auth attempt fails with no server found.

Expected results:
Query for _KERBEROS._tcp and talk TCP, OR query for _KERBEROS._udp and talk UDP. Maybe using one as a fallback to the other.
Comment 1 Daniel Piddock 2010-11-24 09:31:42 EST
As an extension to this (should it be a new bug?) attempting to change password causes a DNS SRV query for _KPASSWD._tcp.my.domain. kpasswd (from Heimdal 1.2 we use) does not run over TCP. 

Specifying the server with krb5_kpasswd causes the communication to happen correctly over UDP.
Comment 2 Jakub Hrozek 2010-11-24 09:47:55 EST
I think that per RFC 4120, the proper way to configure the service records in
DNS is to configure both _tcp and _udp records. In section, it says "If
these SRV records are to be used, both "udp" and "tcp" records MUST be
specified for all KDC deployments."

But I agree that this behaviour is confusing. Perhaps we should search
for UDP first and for TCP as a fallback.
Comment 3 Sumit Bose 2010-11-24 11:57:46 EST
I agree, we should extended the resolver code to allow fallbacks to UDP/TCP is requested. I have opened https://fedorahosted.org/sssd/ticket/691 to track this upstream.
Comment 6 Fedora Update System 2011-01-27 15:37:50 EST
sssd-1.5.1-2.1.fc14 has been submitted as an update for Fedora 14.
Comment 7 Fedora Update System 2011-01-28 14:19:29 EST
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14
Comment 8 Fedora Update System 2011-02-07 14:53:44 EST
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.