Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

配置多个KDC服务器不生效 #324

Closed
ghost opened this issue Oct 17, 2019 · 5 comments · Fixed by #399
Closed

配置多个KDC服务器不生效 #324

ghost opened this issue Oct 17, 2019 · 5 comments · Fixed by #399

Comments

@ghost
Copy link

ghost commented Oct 17, 2019

我在 gopkg.in/jcmturner/gokrb5.v7/client/network.go 的文件中发现 func dialKDCUDP(count int, kdcs map[int]string) (*net.UDPConn, error) 函数和 func dialKDCTCP(count int, kdcs map[int]string) (*net.TCPConn, error) 函数并不能解决多个KDC服务器冗余的问题,主要是因为函数中的代码段在遇到err返回值不为nil时就 return 了函数,导致即使使用了for循环也无法再调用下一个KDC服务器地址进行连接尝试

@jcmturner
Copy link
Owner

Translation:

I found the func dialKDCUDP(count int, kdcs map[int]string) (*net.UDPConn, error) function and func dialKDCTCP(count int, in the file gopkg.in/jcmturner/gokrb5.v7/client/network.go Kdcs map[int]string) (*net.TCPConn, error) The function does not solve the problem of multiple KDC server redundancy, mainly because the code segment in the function returns the function when it encounters the err return value is not nil. , causing the next KDC server address to be used for connection attempts even if a for loop is used

@jcmturner
Copy link
Owner

Hi, sorry I am not fluent in your language. I believe from Google Translate this is Chinese and the translation it gives me is in my first comment above. If you are able to check this translation for accuracy that would be great. What follows is this comment translated with Google Translate from English into Chinese.

Translation:
嗨,抱歉,我的语言不太流利。我相信Google Translate是中文,它给我的翻译是我的第一反应。如果您能够检查此翻译的准确性,那将是很好的。此消息是我上面的英语回复的翻译。

@yan-di
Copy link

yan-di commented Jun 7, 2020

抱歉,我觉得google翻译并没有准确的表达我的问题,这样吧,我描述一下两个问题的场景,看您能否复现
Sorry, I don’t think Google Translate has accurately expressed my question, so let’s describe the scenario of the two questions to see if you can reproduce it

1、使用gokrb5.v8配置多个kdc服务,在网络不可达的情况下不能切换kdc验证,并且程序会一直阻塞;使用gokrb5.v7配置多个kdc服务,在网络不可达的情况下不能切换kdc验证,但程序不会一直阻塞,所以我使用了gokrb5.v7,并且自己加了判断代码,如下:

  1. Use gokrb5.v8 to configure multiple kdc services. When the network is unreachable, the kdc verification cannot be switched, and the program will always block; use gokrb5.v7 to configure multiple kdc services. When the network is unreachable, the kdc service cannot be switched. Verify, but the program will not block all the time, so I used gokrb5.v7 and added the judgment code myself, as follows:
for i := range kdc {
    krb5Conf.Realms[0].KDC = []string{kdc[i]}
    tkt, key, err = client.NewClientWithPassword(user, realm, pswd, krb5Conf).GetServiceTicket(servPrinc)
    if v, ok := err.(krberror.Krberror); ok {
        switch v.RootCause {
        case krberror.NetworkingError:
            continue
        default:
            return err
        }
    }
    break
}

2、使用gokrb5.v7修改用户密码,在网络不可达的情况下程序会一直阻塞,我还没有解决方案,我的代码如下:

  1. Use gokrb5.v7 to modify the user password. The program will block all the time when the network is unreachable. I have no solution yet. My code is as follows:
if _, err := client.NewClientWithPassword(user, realm, oldpswd, krb5Conf).ChangePasswd(newpswd); err != nil {
    return err
}

@yan-di
Copy link

yan-di commented Jun 11, 2020

Send the next question again, in the 7.5 version of the keytab.Load function, if the file path is incorrect, or the file content is incorrect, it will block and not exit

@jcmturner
Copy link
Owner

Hi @yan-di

I think I understand this issue now. It is that on failure to communicate with a KDC the client needs to reselect another KDC to try. I will need to give some thought on the best way to implement that.

With regards to the point you make about the keytab.Load function. Can you provide more detail, please?
I have written this test which passes:
https://github.com/jcmturner/gokrb5/blob/investigation/v8/keytab/keytab_test.go#L102-L107
I think this should probably be a separate github issue. If you can raise a new issue for this with more detail I will be able to investigate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants