RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1256071 - IPv6 only host with a dual stack IPA server tries to use IPv4 on a kinit
Summary: IPv6 only host with a dual stack IPA server tries to use IPv4 on a kinit
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.1
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-23 20:26 UTC by matt
Modified: 2016-03-14 20:49 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-14 20:49:11 UTC
Target Upstream Version:
Embargoed:
matt: needinfo-

Attachments (Terms of Use)

Description matt 2015-08-23 20:26:52 UTC 
Description of problem:

IPA server is configured with IPv4 and IPv6 addresses and those address in DNS.
kinit admin on a client with only IPv6 addresses tries to use the IPv4 address and fails. 


Version-Release number of selected component (if applicable):
7.1

How reproducible:

Everytime

Steps to Reproduce:
1. Install IPA on a machine with IPv4 and IPv6 addresses
2. Install client on a machine with only IPv6 addresses
3. Run kinit admin.
4. Get error: kinit: Cannot contact any KDC for realm 'MY.REALM' while getting initial credentials

Actual results:
KRB5_TRACE=/dev/stdout kinit admin
[11314] 1440361393.657162: Getting initial credentials for admin
[11314] 1440361393.657457: Sending request (175 bytes) to MY.REALM
[11314] 1440361393.658737: Initiating TCP connection to stream 192.168.1.2:88
kinit: Cannot contact any KDC for realm 'MY.REALM' while getting initial credentials

Expected results:
kinit uses the hosts IPv6 address to connect when IPv4 addresses aren't used.

Additional info:
Comment 2 matt 2015-08-24 05:16:07 UTC 
A reboot of the servers in question caused this to start working as expected. I'll monitor for a while and see if the issue comes back.
Comment 3 Petr Vobornik 2015-08-24 08:36:34 UTC 
I'll closed this bug, given that it works as expected. If it comes back please check your network setup and if IPA server is listening on the expected ports, i.e. if KDC is running.  Please reopen the bug if all is in order and kinit still doesn't work.
Comment 4 matt 2015-08-24 12:20:20 UTC 
I've had the issue come back. To check just IPv6, I removed the IPv4 address from the IPA master's DNS entry. It all worked fine. After adding the IPv4 address back in it worked ok for a while then it stopped working after a few hours and tries to use the IPv4 address on the IPv6 only machine.

To work around the issue I'll use IPv6 only for now (and feel like I'm living in the future :) ).

Let me know if there is any other output needed.
Comment 6 Sumit Bose 2015-09-01 08:01:53 UTC 
I wonder if this only happens with kinit? What about calling ssh on the IPv6 client to log in to a host which has IPv4 and IPv6 entries in DNS as well?

I think the resolve is a more suitable level to solve this. Does it help to add 'options inet6' to /etc/resolve.conf?
Comment 7 matt 2015-09-28 11:31:49 UTC 
I did try options inet6 to no affect. 

I don't have the system to check SSH at the moment but will revisit in the future and try that then. I do recall that it only seemed to be a problem with kinit. Other tools I was using (e.g. yum) worked fine.
Comment 8 Robbie Harwood 2015-10-21 20:09:56 UTC 
(Please remove needinfo when you have the SSH information.  Thanks!)
Comment 10 Robbie Harwood 2016-01-06 14:01:34 UTC 
(I assume flags were poked by accident since nothing else about the bug has changed.)
Comment 11 matt 2016-01-06 14:55:51 UTC 
Flags were poked because I get an email pestering me for an update when I have no update to give. I don't mind reminders, just no quite so frequently!
Comment 12 matt 2016-03-14 20:03:09 UTC 
It's unlikely I'll get back to this, and so won't be able to provide further information.
Note You need to log in before you can comment on or make changes to this bug.