Re: Bug? kadmind binds only to IPv6 addresses, if IPv6 is enabled

[Love <lha@stacken.kth.se>]

"Torsten Kurbad" <torsten@tk-webart.de> writes:

> Hello everyone,
>
> I'm just setting up a new central server for our institution. Since I'm most
> familiar with it, I use Gentoo Linux to accomplish that.
>
> One of the tasks is to set up a central authorization scheme that is usable
> via PAM, OpenLDAP, Samba, ...
> After some experiments with mit-krb5 I switched to heimdal about two weeks
> ago, which caused me much less trouble.
>
> Only one issue so far took me days and lots of sweat to resolve:
> It seems that kadmind binds to *:749/tcp, which causes an IPv6 enabled linux
> host to insist that 749/tcp is already bound even for IPv4.
> By starting kadmind with the -d option it will report that the socket is
> already bound for af=2.

last time I checked, linux also answered ipv6 used ipv4 mapped addresses
for ipv6 sockets, so, didn't it just work ?

> ./configure --without-ipv6 didn't help at all. In fact I had to take IPv6
> support *completely* out of the kernel, which means even no ipv6 module!
>
> IMO all this could be fixed, if one could pass a parameter like
> kdc's --addresses to kadmind.
> Would it be difficult to enhance kadmind in that way?

Not really, just need to share code between kadmind and kdc, but isn't it
easier to start kadmind from inetd ?

From the info documentation:

   Remote administration
   
   The administration server, kadmind, can be started by inetd (which isn't
   recommended) or run as a normal daemon. If you want to start it from
   inetd you should add a line similar to the one below to your
   /etc/inetd.conf.
   
   kerberos-adm stream     tcp     nowait  root /usr/heimdal/libexec/kadmind kadmind
   
   You might need to add kerberos-adm to your /etc/services as 749/tcp.

Love

PGP signature