Default kdc_tcp_listen to kdc_listen value

If kdc_tcp_listen is not specified in the realm or in [kdcdefaults],
use the same listeners as were given for UDP instead of separately
defaulting to port 88.  This change makes the kdc_listen and
kpasswd_listen more consistent, while still allowing UDP and TCP
listening to be separately configured when required for the KDC.

ticket: 9152 (new)

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index f809f77dd51df3a17d4eb10a4ce51033eaecb51a..63bdb8d48c1272b37a4218a4efa855abe93953ee 100644 (file)
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -312,10 +312,10 @@ The following tags may be specified in a [realms] subsection:
     ``/.k5.REALM``, where *REALM* is the Kerberos realm.
 
 **kdc_listen**
-    (Whitespace- or comma-separated list.)  Specifies the UDP
-    listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
-    Each entry may be an interface address, a port number, an address
-    and port number separated by a colon, or a UNIX domain socket
+    (Whitespace- or comma-separated list.)  Specifies the listening
+    addresses and/or ports for the :ref:`krb5kdc(8)` daemon.  Each
+    entry may be an interface address, a port number, an address and
+    port number separated by a colon, or a UNIX domain socket
     pathname.  If the address contains colons, enclose it in square
     brackets.  If no address is specified, the wildcard address is
     used.  If no port is specified, the standard port (88) is used.
@@ -335,15 +335,10 @@ The following tags may be specified in a [realms] subsection:
 **kdc_tcp_listen**
     (Whitespace- or comma-separated list.)  Specifies the TCP
     listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
-    Each entry may be an interface address, a port number, or an
-    address and port number separated by a colon.  If the address
-    contains colons, enclose it in square brackets.  If no address is
-    specified, the wildcard address is used.  If no port is specified,
-    the standard port (88) is used.  To disable listening on TCP, set
-    this relation to the empty string with ``kdc_tcp_listen = ""``.
-    If the KDC daemon fails to bind to any of the specified addresses,
-    it will fail to start.  The default is to bind to the wildcard
-    address on the standard port.  New in release 1.15.
+    The syntax is identical to that of **kdc_listen**.  To disable
+    listening on TCP, set this relation to the empty string with
+    ``kdc_tcp_listen = ""``.  The default is to bind to the same
+    addresses and ports as for UDP.  New in release 1.15.
 
 **kdc_tcp_ports**
     (Whitespace- or comma-separated list, deprecated.)  Prior to

diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index c24717be67b93158357148b12f4d555c719050df..c14297535623481ab84ed5e026b354f393214332 100644 (file)
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -96,8 +96,7 @@
 
 #define DEFAULT_KPASSWD_PORT    464
 
-#define DEFAULT_KDC_UDP_PORTLIST "88"
-#define DEFAULT_KDC_TCP_PORTLIST "88"
+#define DEFAULT_KDC_PORTLIST "88"
 #define DEFAULT_TCP_LISTEN_BACKLOG 5
 
 /*

diff --git a/src/kdc/main.c b/src/kdc/main.c
index 439565cd51bc3d53629583e95033ed776121be5a..105276601ee5f3f1734daa26f8f7f064aedc34af 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -197,7 +197,7 @@ combine(const char *val1, const char *val2, char **val_out)
  */
 static  krb5_error_code
 init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
-           char *def_mpname, krb5_enctype def_enctype, char *def_udp_listen,
+           char *def_mpname, krb5_enctype def_enctype, char *def_listen,
            char *def_tcp_listen, krb5_boolean def_manual,
            krb5_boolean def_restrict_anon, char **db_args, char *no_referral,
            char *hostbased)
@@ -260,7 +260,7 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
         /* Try the old kdc_ports configuration option. */
         hierarchy[2] = KRB5_CONF_KDC_PORTS;
         if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen))
-            rdp->realm_listen = strdup(def_udp_listen);
+            rdp->realm_listen = strdup(def_listen);
     }
     if (!rdp->realm_listen) {
         kret = ENOMEM;
@@ -272,12 +272,15 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
         /* Try the old kdc_tcp_ports configuration option. */
         hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS;
         if (krb5_aprof_get_string(aprof, hierarchy, TRUE,
-                                  &rdp->realm_tcp_listen))
+                                  &rdp->realm_tcp_listen) &&
+            def_tcp_listen != NULL) {
+            /* Copy [kdcdefaults] value if one was given. */
             rdp->realm_tcp_listen = strdup(def_tcp_listen);
-    }
-    if (!rdp->realm_tcp_listen) {
-        kret = ENOMEM;
-        goto whoops;
+            if (rdp->realm_tcp_listen == NULL) {
+                kret = ENOMEM;
+                goto whoops;
+            }
+        }
     }
     /* Handle stash file */
     hierarchy[2] = KRB5_CONF_KEY_STASH_FILE;
@@ -605,7 +608,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
     kdc_realm_t         *rdatap = NULL;
     krb5_boolean        manual = FALSE;
     krb5_boolean        def_restrict_anon;
-    char                *def_udp_listen = NULL;
+    char                *def_listen = NULL;
     char                *def_tcp_listen = NULL;
     krb5_pointer        aprof = kcontext->profile;
     const char          *hierarchy[3];
@@ -619,10 +622,10 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
     hierarchy[0] = KRB5_CONF_KDCDEFAULTS;
     hierarchy[1] = KRB5_CONF_KDC_LISTEN;
     hierarchy[2] = NULL;
-    if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) {
+    if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_listen)) {
         hierarchy[1] = KRB5_CONF_KDC_PORTS;
-        if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen))
-            def_udp_listen = NULL;
+        if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_listen))
+            def_listen = NULL;
     }
     hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN;
     if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_tcp_listen)) {
@@ -649,16 +652,9 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
     if (krb5_aprof_get_string_all(aprof, hierarchy, &hostbased))
         hostbased = 0;
 
-    if (def_udp_listen == NULL) {
-        def_udp_listen = strdup(DEFAULT_KDC_UDP_PORTLIST);
-        if (def_udp_listen == NULL) {
-            fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
-            exit(1);
-        }
-    }
-    if (def_tcp_listen == NULL) {
-        def_tcp_listen = strdup(DEFAULT_KDC_TCP_PORTLIST);
-        if (def_tcp_listen == NULL) {
+    if (def_listen == NULL) {
+        def_listen = strdup(DEFAULT_KDC_PORTLIST);
+        if (def_listen == NULL) {
             fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
             exit(1);
         }
@@ -693,9 +689,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
             if (!find_realm_data(&shandle, optarg, (krb5_ui_4) strlen(optarg))) {
                 if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
                     retval = init_realm(rdatap, aprof, optarg, mkey_name,
-                                        menctype, def_udp_listen,
-                                        def_tcp_listen, manual,
-                                        def_restrict_anon, db_args,
+                                        menctype, def_listen, def_tcp_listen,
+                                        manual, def_restrict_anon, db_args,
                                         no_referral, hostbased);
                     if (retval) {
                         fprintf(stderr, _("%s: cannot initialize realm %s - "
@@ -769,11 +764,9 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
             pid_file = optarg;
             break;
         case 'p':
-            free(def_udp_listen);
-            free(def_tcp_listen);
-            def_udp_listen = strdup(optarg);
-            def_tcp_listen = strdup(optarg);
-            if (def_udp_listen == NULL || def_tcp_listen == NULL) {
+            free(def_listen);
+            def_listen = strdup(optarg);
+            if (def_listen == NULL) {
                 fprintf(stderr, _(" KDC cannot initialize. Not enough "
                                   "memory\n"));
                 exit(1);
@@ -807,7 +800,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
         }
         if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
             retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype,
-                                def_udp_listen, def_tcp_listen, manual,
+                                def_listen, def_tcp_listen, manual,
                                 def_restrict_anon, db_args, no_referral,
                                 hostbased);
             if (retval) {
@@ -821,8 +814,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv,
         krb5_free_default_realm(kcontext, lrealm);
     }
 
-    if (def_udp_listen)
-        free(def_udp_listen);
+    if (def_listen)
+        free(def_listen);
     if (def_tcp_listen)
         free(def_tcp_listen);
     if (db_args)
@@ -896,6 +889,7 @@ int main(int argc, char **argv)
     krb5_error_code     retval;
     krb5_context        kcontext;
     kdc_realm_t *realm;
+    const char *tcp_listen;
     verto_ctx *ctx;
     int tcp_listen_backlog;
     int errout = 0;
@@ -972,8 +966,9 @@ int main(int argc, char **argv)
         retval = loop_add_unix_socket(realm->realm_listen);
         if (retval)
             goto net_init_error;
-        retval = loop_add_tcp_address(KRB5_DEFAULT_PORT,
-                                      realm->realm_tcp_listen);
+        tcp_listen = (realm->realm_tcp_listen != NULL) ?
+            realm->realm_tcp_listen : realm->realm_listen;
+        retval = loop_add_tcp_address(KRB5_DEFAULT_PORT, tcp_listen);
         if (retval)
             goto net_init_error;
     }