Bug#798110: krb5-kdc: krb5kdc does not bind to IPv6 address on startup
On Sat, 5 Sep 2015, Kevin Otte wrote: > krb5kdc fails to bind to the IPv6 addresses on the system at startup. > Workaround is a manual service restart on every boot. It seems that this is fallout from systemd's ideas about starting up the network, since the KDC just loops over the available interfaces once at startup, as befits a service intended to be deployed on a dedicated server in a controlled network. It looks like the krb5-kdc unit implicitly depends on network.target, but not network-online.target. The documentation for network-online.target is unclear about whether it will wait for the v6 addresses to be up or just continue once there's a single routable address, v4 or v6, but it's probably worth trying. I think the easiest way to do so would be to add a file /etc/systemd/system/krb5-kdc.d/networkd-online.conf with the contents: [Unit] After=network-online.target If that helps, we should probably add the network-online.target dependency to the distributed krb5-kdc.service. Thanks, Ben Kaduk
Bug#798110: krb5-kdc: krb5kdc does not bind to IPv6 address on startup
This ought to work, but there might be something going wrong with routing socket updates. Because krb5kdc implements a UDP service, it needs to either use IPv4/IPv6 pktinfo support, or bind to specific interfaces instead of the wildcard address, in order to send replies from the same address as it received requests to. Because Linux distributions require _GNU_SOURCE to be defined for IPv6 pktinfo support (unlike every non-Linux platform), and we don't define _GNU_SOURCE as part of our build before krb5 1.13 because it changes the behavior of strerror_r() to be non-POSIX, krb5 1.12.x doesn't use IPv6 pktinfo; instead it iterates over the configured interfaces and binds to them specifically (omitting the loopback interface, for dumb reasons). We also bind to the routing socket, which is supposed to notify us when network interfaces change. We bind to the routing socket before iterating over the local addresses, so I don't see any potential for a race condition there. So either something is going wrong with our code to do that, or (less likely but not inconceivably) the kernel isn't doing its job.
Bug#798110: krb5-kdc: krb5kdc does not bind to IPv6 address on startup
Package: krb5-kdc Version: 1.12.1+dfsg-19 Severity: important Tags: ipv6 krb5kdc fails to bind to the IPv6 addresses on the system at startup. Workaround is a manual service restart on every boot. root@mercury:~# uptime 14:08:38 up 0 min, 1 user, load average: 0.69, 0.19, 0.06 root@mercury:~# lsof -i | grep krb5 krb5kdc 437 root8u IPv4 11366 0t0 UDP *:kerberos krb5kdc 437 root9u IPv4 11367 0t0 UDP *:kerberos4 root@mercury:~# ip addr 1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:0c:02:93 brd ff:ff:ff:ff:ff:ff inet6 2606:a000:a461:4500:5054:ff:fe0c:293/64 scope global mngtmpaddr dynamic valid_lft 86354sec preferred_lft 14354sec inet6 fe80::5054:ff:fe0c:293/64 scope link valid_lft forever preferred_lft forever root@mercury:~# service krb5-kdc restart root@mercury:~# lsof -i | grep krb5 krb5kdc 563 root8u IPv4 12519 0t0 UDP *:kerberos krb5kdc 563 root9u IPv4 12520 0t0 UDP *:kerberos4 krb5kdc 563 root 10u IPv6 12523 0t0 UDP [2606:a000:a461:4500:5054:ff:fe0c:293]:kerberos krb5kdc 563 root 11u IPv6 12524 0t0 UDP [2606:a000:a461:4500:5054:ff:fe0c:293]:kerberos4 krb5kdc 563 root 12u IPv6 12527 0t0 UDP [fe80::5054:ff:fe0c:293]:kerberos krb5kdc 563 root 13u IPv6 12529 0t0 UDP [fe80::5054:ff:fe0c:293]:kerberos4 -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages krb5-kdc depends on: ii debconf [debconf-2.0] 1.5.56 ii init-system-helpers1.22 ii krb5-config2.3 ii krb5-user 1.12.1+dfsg-19 ii libc6 2.19-18+deb8u1 ii libcomerr2 1.42.12-1.1 ii libgssapi-krb5-2 1.12.1+dfsg-19 ii libgssrpc4 1.12.1+dfsg-19 ii libk5crypto3 1.12.1+dfsg-19 ii libkadm5clnt-mit9 1.12.1+dfsg-19 ii libkadm5srv-mit9 1.12.1+dfsg-19 ii libkdb5-7 1.12.1+dfsg-19 ii libkeyutils1 1.5.9-5+b1 ii libkrb5-3 1.12.1+dfsg-19 ii libkrb5support01.12.1+dfsg-19 ii libverto-libev10.2.4-2 ii libverto1 0.2.4-2 ii lsb-base 4.1+Debian13+nmu1 krb5-kdc recommends no packages. Versions of packages krb5-kdc suggests: ii krb5-admin-server 1.12.1+dfsg-19 pn krb5-kdc-ldap pn openbsd-inetd | inet-superserver -- debconf information: krb5-kdc/purge_data_too: false krb5-kdc/debconf: true