656906 – sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP

Bug 656906 - sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP

Summary: sssd krb5 backend does a DNS SRV query for _KERBEROS._tcp then talks UDP

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Stephen Gallagher
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-24 14:15 UTC by Daniel Piddock
Modified:	2020-05-02 16:17 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sssd-1.5.1-2.1.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-02-07 19:53:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 1733	0	None	closed	Allow _udp and _tcp DNS SRV lookups	2020-05-02 16:17:16 UTC

Description Daniel Piddock 2010-11-24 14:15:09 UTC

Description of problem:
I was trying to get sssd krb5 working with service discovery. Watching network traffic I discovered sssd was doing a DNS query for SRV _KERBEROS._tcp.my.domain. I previously only had _udp entries so created the _tcp entries. Further dumps revealed that the krb5 backend then proceeds to talk UDP to the server anyway.

Version-Release number of selected component (if applicable):
sssd-1.4.1-1.fc14.i686

How reproducible:
Always

Steps to Reproduce:
1. Run wireshark
2. Login with sssd configured with krb5 backend and no krb5_kdcip set.

Actual results:
DNS SRV query for _KERBEROS._tcp.my.domain followed by talking UDP to the server. If the DNS record is not present the auth attempt fails with no server found.

Expected results:
Query for _KERBEROS._tcp and talk TCP, OR query for _KERBEROS._udp and talk UDP. Maybe using one as a fallback to the other.

Comment 1 Daniel Piddock 2010-11-24 14:31:42 UTC

As an extension to this (should it be a new bug?) attempting to change password causes a DNS SRV query for _KPASSWD._tcp.my.domain. kpasswd (from Heimdal 1.2 we use) does not run over TCP. 

Specifying the server with krb5_kpasswd causes the communication to happen correctly over UDP.

Comment 2 Jakub Hrozek 2010-11-24 14:47:55 UTC

I think that per RFC 4120, the proper way to configure the service records in
DNS is to configure both _tcp and _udp records. In section 7.2.3.2, it says "If
these SRV records are to be used, both "udp" and "tcp" records MUST be
specified for all KDC deployments."

But I agree that this behaviour is confusing. Perhaps we should search
for UDP first and for TCP as a fallback.

Comment 3 Sumit Bose 2010-11-24 16:57:46 UTC

I agree, we should extended the resolver code to allow fallbacks to UDP/TCP is requested. I have opened https://fedorahosted.org/sssd/ticket/691 to track this upstream.

Comment 6 Fedora Update System 2011-01-27 20:37:50 UTC

sssd-1.5.1-2.1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14

Comment 7 Fedora Update System 2011-01-28 19:19:29 UTC

sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update sssd'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/sssd-1.5.1-2.1.fc14

Comment 8 Fedora Update System 2011-02-07 19:53:44 UTC

sssd-1.5.1-2.1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.