[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Incorrect net address with hpropd/kinit on KDC



Hello,

I seem to be having issues with the infamous "incorrect net address" under
heimdal on OpenBSD 3.7.

kinit (heimdal-0.6.3/OpenBSD)
Copyright 1999-2004 Kungliga Tekniska Högskolan
Send bug-reports to bugs@openbsd.org

On my kdc (aka: bob), which is a multihomed machine with several public and
private IPv4/IPv6 addresses, I see the following...

$ kinit
epancer@FOO.EXAMPLE.NET's Password: 
kinit: krb5_get_init_creds: Incorrect net address

However, if I do the following I will get a ticket.

$ kinit --no-address
epancer@FOO.EXAMPLE.NET's Password: 
kinit: NOTICE: ticket renewable lifetime is 1 week

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1002
        Principal: epancer@FOO.EXAMPLE.NET
    Cache version: 4

Server: krbtgt/FOO.EXAMPLE.NET@FOO.EXAMPLE.NET
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Jun  1 11:12:03 2005
End time:   Jun  1 11:38:03 2005
Renew till: Jun  8 11:12:03 2005
Ticket flags: forwardable, renewable, initial
Addresses: 

Unfortunately, this then impacts hprop.

$ /usr/libexec/hprop slave
hprop: krb5_get_init_creds: Incorrect net address

On a similar host that is multihomed in the same manner, I do not have
problems getting a ticket (though it calls back to the KDC in question
here).

Here's my krb5.conf; as you can imagine, I can't propagate my databases to
the slaves....yet :) Thanks for any help.

# bob:/etc/kerberosV/krb5.conf
[libdefaults]
        default_realm = FOO.EXAMPLE.NET 
        clockskew = 300
        ticket_lifetime = 1560

[appdefaults]
        default_lifetime = 7d
        encrypt = true
        forward = true
        forwardable = true
        renewable = true

        login = {
                forwardable = true
                krb5_get_tickets = true
        }
        kinit = {
                forwardable = true
        }

[realms]
        FOO.EXAMPLE.NET = {
                kdc = bob.foo.example.net 
                kdc = alice.foo.example.net 
                kdc = mallory.foo.example.net 
                admin_server = bob.foo.example.net 
                kpasswd_server = bob.foo.example.net
        }
[domain_realm]
        .foo.example.net = FOO.EXAMPLE.NET 
        foo.example.net = FOO.EXAMPLE.NET

[kadmin]
        default_keys = v5

[logging]
        default = SYSLOG:ERR:AUTH
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

ifconfig(8) output -- addresses have been changed, but they are all public,
routable addresses.

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:55:b7:78:c5
        description: public
        media: Ethernet 1000baseT full-duplex
        status: active
        inet 10.19.21.131 netmask 0xffffff80 broadcast 10.19.21.255
        inet6 fe80::202:55ff:feb7:78c5%bge0 prefixlen 64 scopeid 0x1
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:55:b7:78:c6
        description: ipv6_if
        media: Ethernet 1000baseT full-duplex
        status: active
        inet6 2001:x:y:z::131 prefixlen 96
        inet6 fe80::202:55ff:feb7:78c6%bge1 prefixlen 64 scopeid 0x2
        inet6 2001:x:y:z::53 prefixlen 96
        inet6 2001:x:y:z::1 prefixlen 96
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        physical address inet 10.19.21.131 --> 10.19.81.184
        inet6 fe80::202:55ff:feb7:78c5%gif0 ->  prefixlen 64 scopeid 0x7
        inet6 2001:x:y:q::b -> 2001:x:y:q::a prefixlen 128