Re: kdc listening on too many interfaces
Quoting "Ken Raeburn" : > On Jun 7, 2009, at 07:48, Steve Devine wrote: >> Everything works fine and in theory I see no harm but still it seems wrong. >> It seems like I ought to be able to disable listening on the backnet >> interface. >> Is this so or no? > > At present there is no way to control which IP addresses the KDC > process listens on. (The message from Bjørn Tore Sun outlines how > to select the port numbers and whether the KDC listens for TCP > connections, but not a change in IP addresses.) It's assumed for > now that all IP addresses may be advertised in DNS as belonging to > the KDC (yes, we know it's not necessarily true), so we should > listen just in case. The ability to listen on just some addresses > has been requested, but so far hasn't made it far up the priority > list, since it's generally harmless as you say, unless there's some > reason you need the KDC to *not* listen on certain IP addresses. > > -- > Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium > > > OK thanks Ken. Good to know I'm not missing something, many attempts at this in kdc.conf were getting me nowhere. /sd Steve Devine Email & Storage Academic Technology Services Michigan State University Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kdc listening on too many interfaces
On Jun 7, 2009, at 07:48, Steve Devine wrote: > Everything works fine and in theory I see no harm but still it seems > wrong. > It seems like I ought to be able to disable listening on the backnet > interface. > Is this so or no? At present there is no way to control which IP addresses the KDC process listens on. (The message from Bjørn Tore Sun outlines how to select the port numbers and whether the KDC listens for TCP connections, but not a change in IP addresses.) It's assumed for now that all IP addresses may be advertised in DNS as belonging to the KDC (yes, we know it's not necessarily true), so we should listen just in case. The ability to listen on just some addresses has been requested, but so far hasn't made it far up the priority list, since it's generally harmless as you say, unless there's some reason you need the KDC to *not* listen on certain IP addresses. -- Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kdc listening on too many interfaces
Steve Devine wrote: > Running Kerberos 5 release 1.6.3 on a new server - we have a backnet > interface for Backups. When I start the kdc I see this in the logs: > > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): setting up network... > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized > local address family 17 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized > local address family 17 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 8: udp > MainIPAddress.88 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 9: udp > MainIPAddress.750 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 10: udp > BackNetIPAddress.88 > Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 11: udp > BackNetIPAddress.750 > > Everything works fine and in theory I see no harm but still it seems wrong. > It seems like I ought to be able to disable listening on the backnet > interface. > Is this so or no? > Lots of Googling have so far revealed nothing. You need the man page. But briefly, in the [kdcdefaults] section of kdc.conf, set kdc_ports to the port number(s) you want to listen to. Note that in order to enable listening to tcp connections, you need to specifically set kdc_tcp_ports to 88. -BT -- Bjørn Tore Sund Phone: 555-84894 Email: bjorn.s...@it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
kdc listening on too many interfaces
Running Kerberos 5 release 1.6.3 on a new server - we have a backnet interface for Backups. When I start the kdc I see this in the logs: Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): setting up network... Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized local address family 17 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): skipping unrecognized local address family 17 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 8: udp MainIPAddress.88 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 9: udp MainIPAddress.750 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 10: udp BackNetIPAddress.88 Jun 07 00:21:59 afsdb0 krb5kdc[5761](info): listening on fd 11: udp BackNetIPAddress.750 Everything works fine and in theory I see no harm but still it seems wrong. It seems like I ought to be able to disable listening on the backnet interface. Is this so or no? Lots of Googling have so far revealed nothing. /sd Steve Devine Email & Storage Academic Technology Services Michigan State University Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos