Bug#798110: krb5-kdc: krb5kdc does not bind to IPv6 address on startup

2015-09-06 Thread Benjamin Kaduk 
On Sat, 5 Sep 2015, Kevin Otte wrote:

> krb5kdc fails to bind to the IPv6 addresses on the system at startup.
> Workaround is a manual service restart on every boot.

It seems that this is fallout from systemd's ideas about starting up the
network, since the KDC just loops over the available interfaces once at
startup, as befits a service intended to be deployed on a dedicated server
in a controlled network.

It looks like the krb5-kdc unit implicitly depends on network.target, but
not network-online.target.  The documentation for network-online.target is
unclear about whether it will wait for the v6 addresses to be up or just
continue once there's a single routable address, v4 or v6, but it's
probably worth trying.

I think the easiest way to do so would be to add a file
/etc/systemd/system/krb5-kdc.d/networkd-online.conf

with the contents:
[Unit]
After=network-online.target

If that helps, we should probably add the network-online.target dependency
to the distributed krb5-kdc.service.

Thanks,

Ben Kaduk

Bug#798110: krb5-kdc: krb5kdc does not bind to IPv6 address on startup

2015-09-06 Thread Greg Hudson 
This ought to work, but there might be something going wrong with
routing socket updates.

Because krb5kdc implements a UDP service, it needs to either use
IPv4/IPv6 pktinfo support, or bind to specific interfaces instead of the
wildcard address, in order to send replies from the same address as it
received requests to.  Because Linux distributions require _GNU_SOURCE
to be defined for IPv6 pktinfo support (unlike every non-Linux
platform), and we don't define _GNU_SOURCE as part of our build before
krb5 1.13 because it changes the behavior of strerror_r() to be
non-POSIX, krb5 1.12.x doesn't use IPv6 pktinfo; instead it iterates
over the configured interfaces and binds to them specifically (omitting
the loopback interface, for dumb reasons).

We also bind to the routing socket, which is supposed to notify us when
network interfaces change.  We bind to the routing socket before
iterating over the local addresses, so I don't see any potential for a
race condition there.  So either something is going wrong with our code
to do that, or (less likely but not inconceivably) the kernel isn't
doing its job.

Bug#798110: krb5-kdc: krb5kdc does not bind to IPv6 address on startup

2015-09-05 Thread Kevin Otte 
Package: krb5-kdc
Version: 1.12.1+dfsg-19
Severity: important
Tags: ipv6

krb5kdc fails to bind to the IPv6 addresses on the system at startup.
Workaround is a manual service restart on every boot.

root@mercury:~# uptime
 14:08:38 up 0 min,  1 user,  load average: 0.69, 0.19, 0.06
root@mercury:~# lsof -i | grep krb5
krb5kdc   437  root8u  IPv4  11366  0t0  UDP *:kerberos 
krb5kdc   437  root9u  IPv4  11367  0t0  UDP *:kerberos4
root@mercury:~# ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
link/ether 52:54:00:0c:02:93 brd ff:ff:ff:ff:ff:ff
inet6 2606:a000:a461:4500:5054:ff:fe0c:293/64 scope global mngtmpaddr 
dynamic 
   valid_lft 86354sec preferred_lft 14354sec
inet6 fe80::5054:ff:fe0c:293/64 scope link 
   valid_lft forever preferred_lft forever
root@mercury:~# service krb5-kdc restart
root@mercury:~# lsof -i | grep krb5
krb5kdc   563  root8u  IPv4  12519  0t0  UDP *:kerberos 
krb5kdc   563  root9u  IPv4  12520  0t0  UDP *:kerberos4 
krb5kdc   563  root   10u  IPv6  12523  0t0  UDP 
[2606:a000:a461:4500:5054:ff:fe0c:293]:kerberos 
krb5kdc   563  root   11u  IPv6  12524  0t0  UDP 
[2606:a000:a461:4500:5054:ff:fe0c:293]:kerberos4 
krb5kdc   563  root   12u  IPv6  12527  0t0  UDP 
[fe80::5054:ff:fe0c:293]:kerberos 
krb5kdc   563  root   13u  IPv6  12529  0t0  UDP 
[fe80::5054:ff:fe0c:293]:kerberos4 


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages krb5-kdc depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  init-system-helpers1.22
ii  krb5-config2.3
ii  krb5-user  1.12.1+dfsg-19
ii  libc6  2.19-18+deb8u1
ii  libcomerr2 1.42.12-1.1
ii  libgssapi-krb5-2   1.12.1+dfsg-19
ii  libgssrpc4 1.12.1+dfsg-19
ii  libk5crypto3   1.12.1+dfsg-19
ii  libkadm5clnt-mit9  1.12.1+dfsg-19
ii  libkadm5srv-mit9   1.12.1+dfsg-19
ii  libkdb5-7  1.12.1+dfsg-19
ii  libkeyutils1   1.5.9-5+b1
ii  libkrb5-3  1.12.1+dfsg-19
ii  libkrb5support01.12.1+dfsg-19
ii  libverto-libev10.2.4-2
ii  libverto1  0.2.4-2
ii  lsb-base   4.1+Debian13+nmu1

krb5-kdc recommends no packages.

Versions of packages krb5-kdc suggests:
ii  krb5-admin-server 1.12.1+dfsg-19
pn  krb5-kdc-ldap 
pn  openbsd-inetd | inet-superserver  

-- debconf information:
  krb5-kdc/purge_data_too: false
  krb5-kdc/debconf: true