I have tried both 1.3.1 and 1.3.2 (via a custom ebuild since one is not formally avaliable yet) and the behaviour occurs on both - although it was worse on 1.3.1 When the daemon is started via /etc/init.d/<script> it responds with OK and the process at least appears to run when ps -A is viewed. However any attempts at contacting the kerberos server fails. I tried an nmap scan to see if the ports had been opened at all and under 1.3.1 no kerberos ports appear to be open at all. Under 1.3.2 the kadmin port is there but the actual kerberos authentication ports (88 and 750 i think... set to defaults at any rate) are not. tail /var/log/krb5kdc.log shows: Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): skipping unrecognized local address family 17 Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): skipping unrecognized local address family 17 Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): listening on fd 7: udp 192.168.10.2.750 Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): listening on fd 7: udp 192.168.10.2.750 Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): listening on fd 8: udp 192.168.10.2.88 Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): listening on fd 8: udp 192.168.10.2.88 Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): set up 2 sockets Mar 09 02:16:36 central.hogarthuk.com krb5kdc[303](info): set up 2 sockets Mar 09 02:16:36 central.hogarthuk.com krb5kdc[304](info): commencing operation Mar 09 02:16:36 central.hogarthuk.com krb5kdc[304](info): commencing operation my /etc/krb5.conf is: [libdefaults] ticket_lifetime = 600 default_realm = HOGARTHUK.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] HOGARTHUK.COM = { kdc = central.hogarthuk.com:88 admin_server = central.hogarthuk.com:749 } [domain_realm] .hogarthuk.com = HOGARTHUK.COM [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log and my /etc/krb5kdc/kdc.conf file is: [kdcdefaults] kdc_ports = 88,750 [realms] HOGARTHUK.COM = { database_name = /etc/krb5kdc/principal admin_keytab = /etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl dict_file = /etc/krb5kdc/kadm5.dict key_stash_file = /etc/krb5kdc/.k5.hogarthuk.com kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal } If I use kadmin.local I can read/write to the database fine. Other services set up (such as sshd and named) work fine and their ports show up correctly. Reproducible: Always Steps to Reproduce: 1. emerge a mit-krb5 package 2. create a configuration 3. start kerberos scripts Actual Results: No ports for kerberos authentication appear to bind. Nmap shows no ports running even though ps -A shows the processes there. Expected Results: Bound the corect ports to eth0 so that other machines (including itself) could contac the kerberos processes on that port. root@central krb5kdc # emerge info Portage 2.0.50-r1 (hardened-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.3-gentoo-r1) ================================================================= System uname: 2.6.3-gentoo-r1 i686 AMD Duron(tm) processor Gentoo Base System version 1.4.3.13 distcc 2.12.1 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.58-r1 Automake: sys-devel/automake-1.7.7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=athlon -O3 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow acl acpi apache2 apm berkdb crypt cups curl dga directfb fam fastcgi foomaticdb gdbm imap kerberos ldap maildir mmx mysql ncurses odbc pam perl pic ppds python readline ruby samba sasl slp snmp socks5 sse ssl tcpd x86 xml xml2 zlib"
I have tried a few more bits and appears that the port is - in fact - bound okay... current error is: Cannot contact any KDC for requested realm while initializing kadmin interface If kadmin is run or: Cannot contact any KDC for requested realm while getting initial credentials If kinit is run.... I have no fireall at this point but seeifn as DNS is working and these commands are run on local machine..... I am instaling iptables to ensure that everything is open and I@ll update this then.
James, please reopen this bug if this is still an issue in current mit-krb5's.
