search

ubccr / mokey

FreeIPA self-service account management portal
BSD 3-Clause "New" or "Revised" License
192 stars 47 forks source link

Add option to prefer IPv6 networks #29

Closed wkihara closed 1 year ago

wkihara commented 5 years ago

Hello

I have deployed mokey on a system outside the office. The IPA server is in the office. Both systems have IPv4 and IPv6 addresses. However, they can only reach each other over IPv6.

The IPA client where mokey is running enrolled correctly. I can ssh fine and can also run "kinit admin,", so its indeed able to use IPv6 to reach kdc. I had to add this line "lookup_family_order = ipv6_only" on sssd.conf file though

What I have noticed is, it looks like the mokey application isn't asking the application the preferred method of communication and just always use IPv4. This seem to be a bug and would be nice to look at it if you have a chance

Jan 8 12:15:41 mars systemd[1]: Started mokey server. Jan 8 12:15:41 mars bash[26834]: time="2019-01-08T12:15:41-05:00" level=info msg="Using template dir: /usr/share/mokey/templates" Jan 8 12:15:46 mars bash[26834]: time="2019-01-08T12:15:46-05:00" level=fatal msg="[Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with TCP (error in getting a TCP connection to any of the KDCs) and then UDP (sending over UDP failed to 192.168.30.5:88: read udp 209.98.51.141:38478->192.168.30.5:88: i/o timeout)" Jan 8 12:15:46 mars systemd[1]: mokey.service: main process exited, code=exited, status=1/FAILURE Jan 8 12:15:46 mars systemd[1]: Unit mokey.service entered failed state. Jan 8 12:15:46 mars systemd[1]: mokey.service failed.

[root@mars ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@EXTERNAL.EXAMPLE.COM

Valid starting Expires Service principal 01/08/2019 12:08:52 01/15/2019 12:08:33 ldap/jupiter.external.example.com@EXTERNAL.EXAMPLE.COM renew until 01/18/2019 12:08:33 01/08/2019 12:08:39 01/15/2019 12:08:33 HTTP/jupiter.external.example.com@EXTERNAL.EXAMPLE.COM renew until 01/18/2019 12:08:33 01/08/2019 12:08:33 01/15/2019 12:08:33 krbtgt/EXTERNAL.EXAMPLE.COM@EXTERNAL.EXAMPLE.COM renew until 01/18/2019 12:08:33 [root@mars ~]#

aebruno commented 5 years ago

You may be able to try forcing the IPv6 addresses of your KDC's by hard coding them in /etc/krb5.conf file? Something like:

[realms]
        EXTERNAL.EXAMPLE.COM = {
                kdc = [1234:52:0:2223::1:1]
        }

Also, may want to check your DNS and see if you can resolve AAA records for kdc's.. for example:

dig -t SRV +short +identify _kerberos._udp.external.example.com

Do you have AAA records for your IPA servers?

wkihara commented 5 years ago

Hi Bruno,

You may be able to try forcing the IPv6 addresses of your KDC's by hard

coding them in /etc/krb5.conf file? Something like:

[realms] EXTERNAL.EXAMPLE.COM = { kdc = [1234:52:0:2223::1:1] }

Actually that is what I had initially done but didn't make a difference. Eventually I got help here and it resolved it for the system but not the application

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/Q4WZSQYY7LSAHA3GXKVGVOS2SDQVULRI/

Also, may want to check your DNS and see if you can resolve AAA records for kdc's.. for example:

dig -t SRV +short +identify _kerberos._udp.external.example.com

Do you have AAA records for your IPA servers?

Yes, I do have the AAA entry. Can ssh to the client successful. Have the IPv6 on hosts file and using IPv6 on the resolved.conf.

In another word, it works fine from infrastructure point of view. That's why I am surprised mokey seem to prefer IPv4

Regards, William

wkihara commented 5 years ago

This is the actual result of the DNS query suggested above [root@mars ~]# dig -t SRV +short +identify _kerberos._udp.external.example.com 0 100 88 jupiter.external.example.com. from server 2607:c0f8:6000:a::5 in 2 ms. [root@mars ~]#

aebruno commented 5 years ago

From what I can tell, it appears golang prefers IPv4 and there doesn't seem to be an easy way to change this. You could try hard coding the IPv6 addresses in the /etc/krb5.conf file and set dns lookups to false to force IPv6:

[libdefaults]
  default_realm = EXTERNAL.EXAMPLE.COM
  dns_lookup_kdc = false

[realms]
 EXTERNAL.EXAMPLE.COM = { 
     kdc = [1234:52:0:2223::1:1] 
  }
wkihara commented 5 years ago

Thanks Andrew,

This suggestion worked kdc = [1234:52:0:2223::1:1] :88

By default, IPA client use DNS, so had to flip "true" into "false" on this line

dns_lookup_kdc = false

aebruno commented 5 years ago

Great, thanks for reporting the issue. I'll leave this open for now and report back if we make any progress adding an option to prefer IPv6 networks.