Weird cross-realm behaviour after upgrade to Heimdal 7.3

Andreas Haupt andreas.haupt at desy.de
Tue Jul 11 16:37:36 CEST 2017


Hi Jeffrey,

On Mon, 2017-07-10 at 08:32 -0400, Jeffrey Hutzelman wrote:
> This is a bug in the kdc, or possibly two bugs. First, the database lookup
> failed and no entry was returned, but the error code was not set and so
> remained zero, which com_err translates as "Success".
> 
> Second, the kdc is not sending any response at all. That causes the client
> to eventually time out and try another kdc. When it runs out of kdcs, it
> reports an error (unable to contact any kdc in realm).
> 
> you can confirm this by watching traffic between your client and kdc on
> port 88, using your favorite packet-capture tool.

Exact! That's indeed the problem here! Just moved on to real test systems
now.

141.34.32.72 -> SL7 client (GSSAPI-enabled system's ssh)
141.34.22.251 -> Heimdal-7.3 server

The test client only knows about the test Heimdal-7.3 server 141.34.22.251.

---
[chap-vm1] ~ % ssh -vvv lxplus.cern.ch
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot contact any KDC for realm 'IFH.DE'
[...]
Password:
---

This is what is captured as traffic between client and KDC:

---
[chap-vm1] /root # tshark host test-kdc -t a
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
  1 16:06:43.529842068 141.34.32.72 -> 141.34.22.251 KRB5 990 TGS-REQ
  2 16:06:44.532691656 141.34.32.72 -> 141.34.22.251 UDP 990 Source port: 48551  Destination port: loadav
  3 16:06:45.533928362 141.34.32.72 -> 141.34.22.251 TCP 74 52164 > kerberos [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1035010913 TSecr=0 WS=128
  4 16:06:45.534376809 141.34.22.251 -> 141.34.32.72 TCP 74 kerberos > 52164 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1816942862 TSecr=1035010913 WS=128
  5 16:06:45.534427289 141.34.32.72 -> 141.34.22.251 TCP 66 52164 > kerberos [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1035010914 TSecr=1816942862
  6 16:06:45.534545716 141.34.32.72 -> 141.34.22.251 KRB5 1018 TGS-REQ
  7 16:06:45.534903298 141.34.22.251 -> 141.34.32.72 TCP 66 kerberos > 52164 [ACK] Seq=1 Ack=953 Win=30976 Len=0 TSval=1816942863 TSecr=1035010914
  8 16:06:45.536931301 141.34.22.251 -> 141.34.32.72 TCP 66 kerberos > 52164 [FIN, ACK] Seq=1 Ack=953 Win=30976 Len=0 TSval=1816942865 TSecr=1035010914
  9 16:06:45.537047128 141.34.32.72 -> 141.34.22.251 TCP 66 52164 > kerberos [FIN, ACK] Seq=953 Ack=2 Win=29312 Len=0 TSval=1035010916 TSecr=1816942865
 10 16:06:45.542447536 141.34.22.251 -> 141.34.32.72 TCP 66 kerberos > 52164 [ACK] Seq=2 Ack=954 Win=30976 Len=0 TSval=1816942870 TSecr=1035010916
 11 16:06:48.536256407 141.34.32.72 -> 141.34.22.251 KRB5 990 TGS-REQ
 12 16:06:49.537370582 141.34.32.72 -> 141.34.22.251 UDP 990 Source port: 48551  Destination port: loadav
 13 16:06:54.542592820 141.34.32.72 -> 141.34.22.251 KRB5 990 TGS-REQ
 14 16:06:55.543675219 141.34.32.72 -> 141.34.22.251 UDP 990 Source port: 48551  Destination port: loadav
---

And the matching KDC logs:

---
Jul 11 16:06:43 chip-vm8 kdc[17992]: TGS-REQ ahaupt at IFH.DE from IPv4:141.34.32.72 for host/lxplus010.cern.ch at IFH.DE [canonicalize, renewable, forwardable]
Jul 11 16:06:43 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch
Jul 11 16:06:43 chip-vm8 kdc[17992]: Server not found in database: krbtgt/CERN.CH at IFH.DE: Success
Jul 11 16:06:44 chip-vm8 kdc[17992]: TGS-REQ ahaupt at IFH.DE from IPv4:141.34.32.72 for host/lxplus010.cern.ch at IFH.DE [canonicalize, renewable, forwardable]
Jul 11 16:06:44 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch
Jul 11 16:06:44 chip-vm8 kdc[17992]: Server not found in database: krbtgt/CERN.CH at IFH.DE: Success
Jul 11 16:06:45 chip-vm8 kdc[17992]: TGS-REQ ahaupt at IFH.DE from IPv4:141.34.32.72 for host/lxplus010.cern.ch at IFH.DE [canonicalize, renewable, forwardable]
Jul 11 16:06:45 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch
Jul 11 16:06:45 chip-vm8 kdc[17992]: Server not found in database: krbtgt/CERN.CH at IFH.DE: Success
Jul 11 16:06:48 chip-vm8 kdc[17992]: TGS-REQ ahaupt at IFH.DE from IPv4:141.34.32.72 for host/lxplus010.cern.ch at IFH.DE [canonicalize, renewable, forwardable]
Jul 11 16:06:48 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch
Jul 11 16:06:48 chip-vm8 kdc[17992]: Server not found in database: krbtgt/CERN.CH at IFH.DE: Success
Jul 11 16:06:49 chip-vm8 kdc[17992]: TGS-REQ ahaupt at IFH.DE from IPv4:141.34.32.72 for host/lxplus010.cern.ch at IFH.DE [canonicalize, renewable, forwardable]
Jul 11 16:06:49 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch
Jul 11 16:06:49 chip-vm8 kdc[17992]: Server not found in database: krbtgt/CERN.CH at IFH.DE: Success
Jul 11 16:06:54 chip-vm8 kdc[17992]: TGS-REQ ahaupt at IFH.DE from IPv4:141.34.32.72 for host/lxplus010.cern.ch at IFH.DE [canonicalize, renewable, forwardable]
Jul 11 16:06:54 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch
Jul 11 16:06:54 chip-vm8 kdc[17992]: Server not found in database: krbtgt/CERN.CH at IFH.DE: Success
Jul 11 16:06:55 chip-vm8 kdc[17992]: TGS-REQ ahaupt at IFH.DE from IPv4:141.34.32.72 for host/lxplus010.cern.ch at IFH.DE [canonicalize, renewable, forwardable]
Jul 11 16:06:55 chip-vm8 kdc[17992]: Searching referral for lxplus010.cern.ch
Jul 11 16:06:55 chip-vm8 kdc[17992]: Server not found in database: krbtgt/CERN.CH at IFH.DE: Success
---

Opened bug report: https://github.com/heimdal/heimdal/issues/299

Cheers,
Andreas
-- 
| Andreas Haupt            | E-Mail: andreas.haupt at desy.de
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4873 bytes
Desc: not available
URL: <http://www.h5l.org/pipermail/heimdal-discuss/attachments/20170711/eaef7be2/attachment.bin>


More information about the Heimdal-discuss mailing list