Bug 656906 - sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP
sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
14
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-24 09:15 EST by Daniel Piddock
Modified: 2011-02-07 14:53 EST (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.5.1-2.1.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-07 14:53:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Piddock 2010-11-24 09:15:09 EST
Description of problem:
I was trying to get sssd krb5 working with service discovery. Watching network traffic I discovered sssd was doing a DNS query for SRV _KERBEROS._tcp.my.domain. I previously only had _udp entries so created the _tcp entries. Further dumps revealed that the krb5 backend then proceeds to talk UDP to the server anyway.

Version-Release number of selected component (if applicable):
sssd-1.4.1-1.fc14.i686

How reproducible:
Always

Steps to Reproduce:
1. Run wireshark
2. Login with sssd configured with krb5 backend and no krb5_kdcip set.

Actual results:
DNS SRV query for _KERBEROS._tcp.my.domain followed by talking UDP to the server. If the DNS record is not present the auth attempt fails with no server found.

Expected results:
Query for _KERBEROS._tcp and talk TCP, OR query for _KERBEROS._udp and talk UDP. Maybe using one as a fallback to the other.
Comment 1 Daniel Piddock 2010-11-24 09:31:42 EST
As an extension to this (should it be a new bug?) attempting to change password causes a DNS SRV query for _KPASSWD._tcp.my.domain. kpasswd (from Heimdal 1.2 we use) does not run over TCP. 

Specifying the server with krb5_kpasswd causes the communication to happen correctly over UDP.
Comment 2 Jakub Hrozek 2010-11-24 09:47:55 EST
I think that per RFC 4120, the proper way to configure the service records in
DNS is to configure both _tcp and _udp records. In section 7.2.3.2, it says "If
these SRV records are to be used, both "udp" and "tcp" records MUST be
specified for all KDC deployments."

But I agree that this behaviour is confusing. Perhaps we should search
for UDP first and for TCP as a fallback.
Comment 3 Sumit Bose 2010-11-24 11:57:46 EST
I agree, we should extended the resolver code to allow fallbacks to UDP/TCP is requested. I have opened https://fedorahosted.org/sssd/ticket/691 to track this upstream.
Comment 6 Fedora Update System 2011-01-27 15:37:50 EST
sssd-1.5.1-2.1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14
Comment 7 Fedora Update System 2011-01-28 14:19:29 EST
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14
Comment 8 Fedora Update System 2011-02-07 14:53:44 EST
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.