Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 194826

Summary: app-crypt/heimdal-0.7.2-r3: IP addresses of target host are malformed
Product: Gentoo Linux Reporter: Martin Mokrejš <mmokrejs>
Component: [OLD] ServerAssignee: Gentoo Kerberos Maintainers <kerberos>
Status: VERIFIED WORKSFORME    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Martin Mokrejš 2007-10-05 16:36:18 UTC
It seems something is broken in 0.7.2-r3 what is parsing the host address and strips anything in front of the first dot. I hit this problem with bot ftp client from heimdal distribution as well as with yafc ftp client.

$ kftp 192.168.0.2
Connected to 192.168.0.2.
220 vrapenec FTP server (Version 6.00+Heimdal 0.7.2) ready.
Trying GSSAPI...
Error initializing security context: Server (krbtgt/168.0.2@DOMA) unknown

*** Using plaintext user and password ***

Name (192.168.0.2:mmokrejs): 
331 Password required for mmokrejs.
Password: 


Oct  5 18:07:28 vrapenec ftpd[29758]: <--- 220 vrapenec FTP server (Version 6.00+Heimdal 0.7.2) ready.  - 
Oct  5 18:07:28 vrapenec ftpd[29758]: command: AUTH GSSAPI
Oct  5 18:07:28 vrapenec ftpd[29758]: <--- 334 Send authorization data.  - 
Oct  5 18:07:28 vrapenec kdc[29547]: TGS-REQ mmokrejs@DOMA from IPv4:192.168.0.2 for krbtgt/168.0.2@DOMA
Oct  5 18:07:28 vrapenec kdc[29547]: Server not found in database: krbtgt/168.0.2@DOMA: No such entry in the database
Oct  5 18:07:28 vrapenec kdc[29547]: sending 114 bytes to IPv4:192.168.0.2
Oct  5 18:07:28 vrapenec kdc[29547]: TGS-REQ mmokrejs@DOMA from IPv4:192.168.0.2 for krbtgt/168.0.2@DOMA
Oct  5 18:07:28 vrapenec kdc[29547]: Server not found in database: krbtgt/168.0.2@DOMA: No such entry in the database
Oct  5 18:07:28 vrapenec kdc[29547]: sending 114 bytes to IPv4:192.168.0.2
Oct  5 18:07:28 vrapenec ftpd[29758]: command: USER mmokrejs
Oct  5 18:07:28 vrapenec ftpd[29758]: <--- 331 Password required for mmokrejs.  - 
Oct  5 18:07:34 vrapenec ftpd[29758]: <--- 221 You could at least say goodbye.  -
Comment 1 Michael Hammer (RETIRED) gentoo-dev 2008-07-14 12:44:00 UTC
Are you sure the reverse lookup of the ip 192.168.0.2 is working? For kerberos you need the host realm and therefore the hostname. Could you check this? I don't think that this is a kerberos (heimdal) issue - that's related to your config.

g, mueli
Comment 2 Martin Mokrejš 2008-07-14 13:42:20 UTC
Sorry for the confusion, I really only wanted to report that ftpd
reports:

Error initializing security context: Server (krbtgt/168.0.2@DOMA) unknown

Please note missing "192." string. If it does not happen with "current"
version in overlay anymore than am fine. I will wait until the new ebuilds
appear in ~x86 and ~amd64 and then will test.
Comment 3 Michael Hammer (RETIRED) gentoo-dev 2008-07-14 18:09:44 UTC
But this:

Oct  5 18:07:28 vrapenec kdc[29547]: Server not found in database:
krbtgt/168.0.2@DOMA: No such entry in the database

is an indication that kerberos isn't able to find the principal for your host in the database. One thing you should check is if the reverse query for your ip works.

That means:

$ dig -x 192.168.0.2

must resolve to $hostname for which you have a realm

host/$hostname.YOURREALM.COM

in the database. That _must_ work else kerberos isn't able to affiliate the IP with the principal in the database.

g, mueli
Comment 4 Martin Mokrejš 2008-07-14 18:37:48 UTC
Yes that was a misconfiguration on my side. But still, the server or client does not display the IP address correctly. ;-)
Comment 5 Michael Hammer (RETIRED) gentoo-dev 2008-07-15 06:08:19 UTC
Are you sure?

IPv4:192.168.0.2 for krbtgt/168.0.2@DOMA
     ^^^^^^^^^^^

The way he displays the Ticket Granting Ticket is also new to me but I am not sure that this is a misbehavior. I'd at least say that this isn't a gentoo issue - it's at least an upstream issue. To contact upstream we should really test the actual release in the overlay. So either you wait and live with the problem or you test heimdal out of overlay if you can reproduce your problem.

I really hope it's ok for you that I'll close this bug - Fell free to reopen if you really think this is a gentoo related problem. At the moment I am trying to close pending bugs related to outdated heimdal releases ;)

g, mueli
Comment 6 Martin Mokrejš 2008-07-18 11:00:33 UTC
On the misconfigured system I get with 1.2.1rc1 ticket which lack the unresolvable hostname altogether:

$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: mmokrejs@DOMA

  Issued           Expires          Principal
Jul 18 12:22:51  Jul 19 12:22:51  krbtgt/DOMA@DOMA
$ kftp 192.168.0.2
Connected to 192.168.0.2.
220 vrapenec FTP server (Version 6.00+Heimdal 1.2.1rc1) ready.
Trying GSSAPI...
Error initializing security context: unknown mech-code 0 for mech unknown

*** Using plaintext user and password ***

Name (192.168.0.2:mmokrejs):
^c


I have emailed upstream for thoughts whether there is anything to be improved.
The old bug stripping first number range from IPv4 address is gone, though.