Red Hat Bugzilla – Bug 656906
sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP
Last modified: 2011-02-07 14:53:54 EST
Description of problem:
I was trying to get sssd krb5 working with service discovery. Watching network traffic I discovered sssd was doing a DNS query for SRV _KERBEROS._tcp.my.domain. I previously only had _udp entries so created the _tcp entries. Further dumps revealed that the krb5 backend then proceeds to talk UDP to the server anyway.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run wireshark
2. Login with sssd configured with krb5 backend and no krb5_kdcip set.
DNS SRV query for _KERBEROS._tcp.my.domain followed by talking UDP to the server. If the DNS record is not present the auth attempt fails with no server found.
Query for _KERBEROS._tcp and talk TCP, OR query for _KERBEROS._udp and talk UDP. Maybe using one as a fallback to the other.
As an extension to this (should it be a new bug?) attempting to change password causes a DNS SRV query for _KPASSWD._tcp.my.domain. kpasswd (from Heimdal 1.2 we use) does not run over TCP.
Specifying the server with krb5_kpasswd causes the communication to happen correctly over UDP.
I think that per RFC 4120, the proper way to configure the service records in
DNS is to configure both _tcp and _udp records. In section 184.108.40.206, it says "If
these SRV records are to be used, both "udp" and "tcp" records MUST be
specified for all KDC deployments."
But I agree that this behaviour is confusing. Perhaps we should search
for UDP first and for TCP as a fallback.
I agree, we should extended the resolver code to allow fallbacks to UDP/TCP is requested. I have opened https://fedorahosted.org/sssd/ticket/691 to track this upstream.
sssd-1.5.1-2.1.fc14 has been submitted as an update for Fedora 14.
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update sssd'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14
sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.