From owner-freebsd-bugs Thu Jan 16 11:10:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA07327 for bugs-outgoing; Thu, 16 Jan 1997 11:10:10 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA07319; Thu, 16 Jan 1997 11:10:06 -0800 (PST) Resent-Date: Thu, 16 Jan 1997 11:10:06 -0800 (PST) Resent-Message-Id: <199701161910.LAA07319@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, hhui@bluemountainarts.com Received: from disperse.arcfour.com (disperse.arcfour.com [207.176.50.17]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA06767 for ; Thu, 16 Jan 1997 11:05:00 -0800 (PST) Received: (from hhui@localhost) by disperse.arcfour.com (ArcFour-8.8.3) id OAA11986; ; Thu, 16 Jan 1997 14:04:42 -0500 (EST) Message-Id: <199701161904.OAA11986@disperse.arcfour.com> Date: Thu, 16 Jan 1997 14:04:42 -0500 (EST) From: Hui-Hui Hu Reply-To: hhui@bluemountainarts.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/2508: kerberos does not support multihomed hosts Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2508 >Category: bin >Synopsis: kerberos does not support multihomed hosts >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 16 11:10:04 PST 1997 >Last-Modified: >Originator: Hui-Hui Hu >Organization: Arc Four >Release: FreeBSD 2.2-ALPHA i386 >Environment: kerberos IV / eBones (by the way, I tried 3.0-current krb libs also) server is running two IP addresses >Description: a ticket read request will often fail over a multihomed server host because kerberos will check the ticket address and if the first interface address the system returns is different from the outgoing packet then it will generate a "Incorrect network address" (RD_AP_BADD). this is contrary to the specification, which says: 'Incorrect network address' The address in the ticket does not match the address you sent the request from. This happens on systems with more than one network address, either physically or logically. You can list addresses which should be considered equal in `/etc/krb.equiv' on your servers. the line in rd_req.c (libkrb.a) is: if (from_addr && (ad->address != from_addr)) which does not take in account more than one interface. >How-To-Repeat: configure two interfaces, with the non-default interface ("internal lan") being the first one that the kernel will return. then try to authenticate yourself. >Fix: a very bad fix is to comment out the line return (RD_AP_BADD) in rd_req.c. Obviously this kind of destroys a lot of authentication. The proper solution would be to implement a krb.equiv file for multihomed server hosts. That would be really, really appreciated. Maybe I'll work on it if I get bored some day. :) >Audit-Trail: >Unformatted: