Your message dated Mon, 24 Oct 2022 09:31:59 +0300
with message-id <[email protected]>
and subject line Re: Bug#991767: samba: Attempt to change password over IPv6
using kpasswd fails on AD DC server
has caused the Debian Bug report #991767,
regarding samba: Attempt to change password over IPv6 using kpasswd fails on AD
DC server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991767
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: samba
Version: 2:4.13.5+dfsg-2
Severity: normal
Dear Maintainer,
After upstream commit 43c808f2ff907497dfff0988ff90a48fdcfc16ef any
attempt to change a password over IPv6 fails on the server side. Samba
generates the following log entries (on the domain controller):
Starting GENSEC mechanism krb5
Failed to start GENSEC server mech krb5: NT_STATUS_INTERNAL_ERROR
On the client side the request to change the password results in the
following message after a delay of a couple of seconds:
kpasswd: Cannot contact any KDC for requested realm changing
password
Upstream commit 43c808f2ff907497dfff0988ff90a48fdcfc16ef changed calls
to tsocket_address_bsd_sockaddr() in gensec_krb5.c such that IPv6
addresses will be rejected.
Affected are all upstream releases from branches 4.14 and 4.13. Older
branches / releases are not affected.
On the distro side, this bug affects soon to be released Debian
Bullseye, it does neither affect current stable Debian Buster nor Ubuntu
Focal (LTS).
Upstream bug (fixed in upstream release 4.13.10):
https://bugzilla.samba.org/show_bug.cgi?id=14750
-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing'), (90,
'unstable'), (1, 'experimental') Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=C.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8),
LANGUAGE=C.UTF-8 Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.20.9
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13
ii libgnutls30 3.7.1-5
ii libldb2 2:2.2.0-3.1
ii libpam-modules 1.4.0-9
ii libpam-runtime 1.4.0-9
ii libpopt0 1.18-2
ii libpython3.9 3.9.2-1
ii libtalloc2 2.3.1-2+b1
ii libtasn1-6 4.16.0-2
ii libtdb1 1.4.3-1+b1
ii libtevent0 0.10.2-1
ii libwbclient0 2:4.13.5+dfsg-2
ii lsb-base 11.1.0
ii procps 2:3.3.17-5
ii python3 3.9.2-3
ii python3-dnspython 2.0.0-1
ii python3-samba 2:4.13.5+dfsg-2
ii samba-common 2:4.13.5+dfsg-2
ii samba-common-bin 2:4.13.5+dfsg-2
ii samba-libs 2:4.13.5+dfsg-2
ii tdb-tools 1.4.3-1+b1
Versions of packages samba recommends:
ii attr 1:2.4.48-6
ii logrotate 3.18.0-2
ii python3-markdown 3.3.4-1
ii samba-dsdb-modules 2:4.13.5+dfsg-2
ii samba-vfs-modules 2:4.13.5+dfsg-2
Versions of packages samba suggests:
pn bind9 <none>
pn bind9utils <none>
pn ctdb <none>
ii ldb-tools 2:2.2.0-3.1
pn ntp | chrony <none>
pn smbldap-tools <none>
pn ufw <none>
pn winbind <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2:4.13.13+dfsg-1
On 23.10.2022 23:21, Andrew Bartlett wrote:
Given that Debian 11 Bullseye has 4.13.13 now I think this can be closed as
fixed.
Thank you for the info.
This is fixed in 4.13.10 by the following commit:
commit c1662a8122011aa550b2ae2325de97c6f57e1485
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jul 2 09:37:25 2021 +0200
gensec_krb5: restore ipv6 support for kpasswd
We need to offer as much space we have in order to
get the address out of tsocket_address_bsd_sockaddr().
This fixes a regression in commit
43c808f2ff907497dfff0988ff90a48fdcfc16ef.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14750
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 0388a8f33bdde49f1cc805a0291859203c1a52b4)
/mjt
--- End Message ---
