Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Wed, 2011-10-26 at 09:05 +0200, Luk Claes wrote: [...] Adam == Adam D Barratt a...@adam-barratt.org.uk writes: Adam The krb5 package was uploaded and I've (somewhat belatedly) Adam marked it for acceptance at the next dinstall. What's the Adam status of the nfs-utils upload? [...] Anyway, uploaded now. Flagged for acceptance at the next dinstall; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On 09/12/2011 08:24 PM, Adam D. Barratt wrote: On Mon, 2011-09-05 at 12:46 -0400, Sam Hartman wrote: Adam == Adam D Barratt a...@adam-barratt.org.uk writes: Adam The krb5 package was uploaded and I've (somewhat belatedly) Adam marked it for acceptance at the next dinstall. What's the Adam status of the nfs-utils upload? My guess is they were waiting for krb5. Remember they have to increase build-depends for the krb5 you just accepted. If it requires a versioned build-dependency, then both packages could just have been uploaded at the same time. Even if we accepted them both from p-u-NEW together, the buildds would have put nfs-common in to the build-deps uninstallable state until the necessary version of krb5 was available. Anyway, uploaded now. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
It should be fixed in unstable by actually supporting the new enctypes. While ncice, that rather misses the point. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Mon, Sep 05, 2011 at 12:46:13PM -0400, Sam Hartman wrote: Adam == Adam D Barratt a...@adam-barratt.org.uk writes: Adam The krb5 package was uploaded and I've (somewhat belatedly) Adam marked it for acceptance at the next dinstall. What's the Adam status of the nfs-utils upload? My guess is they were waiting for krb5. Remember they have to increase build-depends for the krb5 you just accepted. AFAICS this now missed the 6.0.3 point release. Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:p...@0x539.de Wanna-Build Admin `-finger pkern/k...@db.debian.org signature.asc Description: Digital signature
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On 10/03/2011 07:20 PM, Philipp Kern wrote: On Mon, Sep 05, 2011 at 12:46:13PM -0400, Sam Hartman wrote: Adam == Adam D Barratt a...@adam-barratt.org.uk writes: Adam The krb5 package was uploaded and I've (somewhat belatedly) Adam marked it for acceptance at the next dinstall. What's the Adam status of the nfs-utils upload? My guess is they were waiting for krb5. Remember they have to increase build-depends for the krb5 you just accepted. AFAICS this now missed the 6.0.3 point release. Upstream did some changes related to this which should fix it in unstable for the squeeze - 2.6.35 kernel range. Kernels afterwards should not have the problem. It would be good if someone could confirm that it is really fixed in unstable now. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Mon, 2011-09-05 at 12:46 -0400, Sam Hartman wrote: Adam == Adam D Barratt a...@adam-barratt.org.uk writes: Adam The krb5 package was uploaded and I've (somewhat belatedly) Adam marked it for acceptance at the next dinstall. What's the Adam status of the nfs-utils upload? My guess is they were waiting for krb5. Remember they have to increase build-depends for the krb5 you just accepted. If it requires a versioned build-dependency, then both packages could just have been uploaded at the same time. Even if we accepted them both from p-u-NEW together, the buildds would have put nfs-common in to the build-deps uninstallable state until the necessary version of krb5 was available. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Adam == Adam D Barratt a...@adam-barratt.org.uk writes: Adam The krb5 package was uploaded and I've (somewhat belatedly) Adam marked it for acceptance at the next dinstall. What's the Adam status of the nfs-utils upload? My guess is they were waiting for krb5. Remember they have to increase build-depends for the krb5 you just accepted. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Fri, 2011-08-05 at 19:09 +0200, Philipp Kern wrote: On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote: I've attached the patches for both packages to this mail. Phil, is it ok for these to be uploaded to stable-proposed-updates? This fixes a bug that makes squeeze kerberized NFS servers unusable with newer clients (e.g., wheezy). Please go ahead. I really hope that the regression potential is low for existing clients. Let's hope we find it out before the point release. (The change in nfs-utils is streching the guidelines a bit.) The krb5 package was uploaded and I've (somewhat belatedly) marked it for acceptance at the next dinstall. What's the status of the nfs-utils upload? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
I expect to get to the krb5 package in a day or so. I expect nfs-utils will want to up its build-depends on krb5 to 1.8.3+dfsg-4squeeze2 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote: On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote: I don't have checkouts handy, but my strong suspicion is that if someone is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and there isn't an argument slot, you can leave it off. gss_c_nt_hostbased_service has always been the default for gssd. Ok, thanks. I've built packages of nfs-utils and krb5 using the referenced backported patches, and can confirm that I'm now able to connect successfully from an nfs-utils 1.2.4 client without having to set permitted_enctypes on the server. I've attached the patches for both packages to this mail. Phil, is it ok for these to be uploaded to stable-proposed-updates? This fixes a bug that makes squeeze kerberized NFS servers unusable with newer clients (e.g., wheezy). Please go ahead. I really hope that the regression potential is low for existing clients. Let's hope we find it out before the point release. (The change in nfs-utils is streching the guidelines a bit.) Kind regards Philipp Kern signature.asc Description: Digital signature
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote: On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote: I don't have checkouts handy, but my strong suspicion is that if someone is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and there isn't an argument slot, you can leave it off. gss_c_nt_hostbased_service has always been the default for gssd. Ok, thanks. I've built packages of nfs-utils and krb5 using the referenced backported patches, and can confirm that I'm now able to connect successfully from an nfs-utils 1.2.4 client without having to set permitted_enctypes on the server. Why is the nfs-utils patch needed again? To be able to run nfs-utils in squeeze with a newer kernel? Kind regards Philipp Kern signature.asc Description: Digital signature
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Philipp == Philipp Kern pk...@debian.org writes: Philipp On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote: On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote: I don't have checkouts handy, but my strong suspicion is that if someone is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and there isn't an argument slot, you can leave it off. gss_c_nt_hostbased_service has always been the default for gssd. Ok, thanks. I've built packages of nfs-utils and krb5 using the referenced backported patches, and can confirm that I'm now able to connect successfully from an nfs-utils 1.2.4 client without having to set permitted_enctypes on the server. Philipp Why is the nfs-utils patch needed again? To be able to run Philipp nfs-utils in squeeze with a newer kernel? No. The issue is that sid clients will ask a squeeze server to do something the squeeze kernel can't handle. However, rather than asking the kernel you ask the nfs-utils userspace. The squeeze krb5 can handle the new encryption type and so it negotiates something, tries to stuff it into the kernel, and doesn't even know how to do that. The krb5 patch revises an existing API which allows userspace to tell krb5 about the kernel capabilities to apply to the server as well as the client. the nfs-utils patch tells the server userspace code to call that existing API which is only called on the client in squeeze. The failure mode is that without both patches, squeeze servers fail to work with sid clients running sid kernels. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
reassign 622146 nfs-kernel-server,src:krb5
found 622146 nfs-kernel-server/1:1.2.2-4
found 622146 src:krb5/1.8.3+dfsg-4
fixed 622146 nfs-kernel-server/1:1.2.4-1
fixed 622146 src:krb5/1.9.1+dfsg-1
tags 622146 patch
thanks
On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote:
I don't have checkouts handy, but my strong suspicion is that if someone
is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and
there isn't an argument slot, you can leave it off.
gss_c_nt_hostbased_service has always been the default for gssd.
Ok, thanks. I've built packages of nfs-utils and krb5 using the referenced
backported patches, and can confirm that I'm now able to connect
successfully from an nfs-utils 1.2.4 client without having to set
permitted_enctypes on the server.
I've attached the patches for both packages to this mail. Phil, is it ok
for these to be uploaded to stable-proposed-updates? This fixes a bug that
makes squeeze kerberized NFS servers unusable with newer clients (e.g.,
wheezy).
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze2) stable-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Pull R24603 in MIT upstream subversion to fix support for NFS servers
+on kernels that only support DES. Closes: #622146.
+
+ -- Steve Langasek vor...@debian.org Fri, 22 Jul 2011 05:07:02 -0700
+
krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low
* Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/lib/gssapi/krb5/accept_sec_context.c
+++ krb5-1.8.3+dfsg/src/lib/gssapi/krb5/accept_sec_context.c
@@ -583,6 +583,15 @@
goto fail;
}
+/* Limit the encryption types negotiated (if requested). */
+if (cred-req_enctypes) {
+if ((code = krb5_set_default_tgs_enctypes(context,
+ cred-req_enctypes))) {
+major_status = GSS_S_FAILURE;
+goto fail;
+}
+}
+
if ((code = krb5_rd_req(context, auth_context, ap_req,
cred-default_identity ? NULL : cred-name-princ,
cred-keytab,
diff -Nru nfs-utils-1.2.2/debian/changelog nfs-utils-1.2.2/debian/changelog
--- nfs-utils-1.2.2/debian/changelog 2010-08-26 16:11:45.0 -0700
+++ nfs-utils-1.2.2/debian/changelog 2011-08-01 01:28:03.0 -0700
@@ -1,3 +1,11 @@
+nfs-utils (1:1.2.2-4squeeze1) stable-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
+for bug #622146.
+
+ -- Steve Langasek steve.langa...@ubuntu.com Tue, 19 Jul 2011 20:54:17 +
+
nfs-utils (1:1.2.2-4) unstable; urgency=low
* mountd: fix path comparison for v4 crossmnt (Closes: #578317)
diff -Nru nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch
--- nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch 1969-12-31 16:00:00.0 -0800
+++ nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch 2011-08-01 01:33:21.0 -0700
@@ -0,0 +1,413 @@
+Description: Upstream changes introduced in version 1:1.2.2-4.1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ nfs-utils (1:1.2.2-4.1) UNRELEASED; urgency=low
+ .
+ * Non-maintainer upload.
+ * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
+ for bug #622146.
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Steve Langasek steve.langa...@ubuntu.com
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: vendor|upstream|other, url of original patch
+Bug: url in upstream bugtracker
+Bug-Debian: http://bugs.debian.org/bugnumber
+Bug-Ubuntu: https://launchpad.net/bugs/bugnumber
+Forwarded: no|not-needed|url proving that it has been forwarded
+Reviewed-By: name and email of someone who approved the patch
+Last-Update: -MM-DD
+
+--- /dev/null
nfs-utils-1.2.2/utils/gssd/svcgssd_krb5.c
+@@ -0,0 +1,200 @@
++/*
++ * COPYRIGHT (c) 2011
++ * The Regents of the University of Michigan
++ * ALL RIGHTS RESERVED
++ *
++ * Permission is granted to use, copy, create derivative works
++ * and redistribute this software
Bug#622146: nfs-common: compatibility between squeeze and sid broken
If I get an ack from SRM i'll do the krb5 upload. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Hi Sam, I've also run into this bug, in the context of preparing to update nfs-utils in Ubuntu for IPv6 support. My NFS server is running squeeze, and updating causes the client and server to fail to negotiate as described. It seems that it's possible to work around it by adding this single line to the server: permitted_enctypes = des-cbc-crc in addition to the 'allow_weak_crypto = true' that was already there. But what's confusing is that before this change, I had a DES3 *only* key for this server, and everything was working! How could that be if the server didn't support the DES3? To work around this problem locally without having to set permitted_enctypes for all other services on the NFS server, I've added a new separate krb5.conf file under /etc, and am setting KRB5_CONFIG in /etc/init.d/nfs-kernel-server to point to that path. You mention that fixing this properly requires backporting patches to both nfs-utils and krb5. Could you provide a reference for the krb5 patch? (I assume the nfs-utils one is the one Luk already linked to) I'm potentially willing to help with getting this int a stable update. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Steve == Steve Langasek vor...@debian.org writes:
Steve Hi Sam, I've also run into this bug, in the context of
Steve preparing to update nfs-utils in Ubuntu for IPv6 support. My
Steve NFS server is running squeeze, and updating causes the client
Steve and server to fail to negotiate as described.
Your nfs server is squeeze and your client was squeeze but is now more
than squeeze?
(substitute ubuntu releases with pre-ipv6 nfs-utils as appropriate for
squeeze?)
R24603 in MIT upstream subversion.
See attached.
I'm happy to interact with SRM for the krb5 side of it. However, the
bug as reported didn't seem to be this one because the server involved
was older than squeeze.
so I didn't actually have any users rrequesting a solution to a problem
I knew how to solve. If you have a problem that this krb5 patch and the
mentioned nfs-utils patch solve then we definitely should propose a
backport to SRM. I'll be happy to prepare krb5 packages.
From 82affd78ac2c2b13bacf8e004f13f2d0dba5acea Mon Sep 17 00:00:00 2001
From: ghudson ghudson@dc483132-0cff-0310-8789-dd5450dbe970
Date: Tue, 25 Jan 2011 00:23:48 +
Subject: [PATCH] ticket: 6852
subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
target_version: 1.9.1
tags: pullup
With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab. If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation. We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.
git-svn-id: svn://anonsvn.mit.edu/svn/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970
---
src/lib/gssapi/krb5/accept_sec_context.c |9 +
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 9d40f68..c3cb2f1 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -623,6 +623,15 @@ kg_accept_krb5(minor_status, context_handle,
goto fail;
}
+/* Limit the encryption types negotiated (if requested). */
+if (cred-req_enctypes) {
+if ((code = krb5_set_default_tgs_enctypes(context,
+ cred-req_enctypes))) {
+major_status = GSS_S_FAILURE;
+goto fail;
+}
+}
+
if ((code = krb5_rd_req(context, auth_context, ap_req,
cred-default_identity ? NULL : cred-name-princ,
cred-keytab,
--
1.7.4.1
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Tue, Jul 19, 2011 at 02:31:36PM -0400, Sam Hartman wrote: Steve == Steve Langasek vor...@debian.org writes: Steve Hi Sam, I've also run into this bug, in the context of Steve preparing to update nfs-utils in Ubuntu for IPv6 support. My Steve NFS server is running squeeze, and updating causes the client Steve and server to fail to negotiate as described. Your nfs server is squeeze and your client was squeeze but is now more than squeeze? (substitute ubuntu releases with pre-ipv6 nfs-utils as appropriate for squeeze?) Yes - Ubuntu currently has an nfs-utils package based on 1:1.2.2-4 (precisely the version in squeeze), and I'm in the process of updating it to 1.2.4. R24603 in MIT upstream subversion. See attached. Thanks! I'm happy to interact with SRM for the krb5 side of it. However, the bug as reported didn't seem to be this one because the server involved was older than squeeze. Oh, the original report said that the problem happened with a squeeze server. Only agi reported it with a lenny server. so I didn't actually have any users rrequesting a solution to a problem I knew how to solve. If you have a problem that this krb5 patch and the mentioned nfs-utils patch solve then we definitely should propose a backport to SRM. I'll be happy to prepare krb5 packages. So the originally linked patch for nfs-utils, http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=d6c1b35c6b40243bfd6fba2591c9f8f2653078c0, doesn't apply cleanly against the nfs-utils 1.2.2 in squeeze; it appears to have some prerequisites. (The number of args to gssd_acquire_cred has changed.) Anyone know which commits we need here? Or should I just rewrite gssd_acquire_cred(NULL, GSS_C_NT_HOSTBASED_SERVICE) to gssd_acquire_cred(NULL)? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#622146: nfs-common: compatibility between squeeze and sid broken
I don't have checkouts handy, but my strong suspicion is that if someone is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and there isn't an argument slot, you can leave it off. gss_c_nt_hostbased_service has always been the default for gssd. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Wed, Jun 08, 2011 at 02:10:32PM -0400, Sam Hartman wrote: Hi. I was missing some context here. My suspicion is that things will work if you add permitted_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc to the configuration of the nfs server And make sure that the nfs principal on the NFS server has nothing but a des-cbc-crc key in the KDC database. That is kadmin.local: getprinc nfs/machine_name should only list DES keys. Hi Sam, Thanks for looking into this. I'd rather not touch anything in the server, since +100 clients are using it. If you satisfy all of these conditions then I *think* that a sid client can connect to a squeeze server. Humm, the server is (right now) lenny in my case. It may also work to make the following config changes on the client: default_tgs_enctypes = des-cbc-crc and no config changes on the server. Did that, no luck :-( I really wonder how I make it work last time... Now I have (not working): agi@lib:~$ grep cbc /etc/krb5.conf permitted_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc agi@lib:~$ grep weak /etc/krb5.conf allow_weak_crypto = yes And only the des-cbc-crc:normal key on this hosts' keytab. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
OK, I have no clue nor really any interest in debugging DES. There is a real bug here introduced in krb5 1.7 which added enctype negotiation . I'd expect that to create some problems for sid clients talking to squeeze servers. There's a solution to that which involves backporting the nfs-utils patch mentioned earlier in this bug to squeeze and backporting a krb5 patch that depends on to squeeze. I'm certainly happy to backport the krb5 patch if the stable release managers approve. However, that won't help you. I don't understand how you're seeing that issue because the code that causes the problem is introduced into krb5 1.7 and lenny has krb5 1.6. If the server doesn't support the negotiation feature, it is not used. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Hi. I was missing some context here. My suspicion is that things will work if you add permitted_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc to the configuration of the nfs server And make sure that the nfs principal on the NFS server has nothing but a des-cbc-crc key in the KDC database. That is kadmin.local: getprinc nfs/machine_name should only list DES keys. If you satisfy all of these conditions then I *think* that a sid client can connect to a squeeze server. It may also work to make the following config changes on the client: default_tgs_enctypes = des-cbc-crc and no config changes on the server. Clearly, this is all non-ideal. Once we confirm what's going on, we can look into backporting some fixes to this issue introduced into MIT Kerberos and nfs-utils. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote: Adding the following line in the [libdefaults] section of /etc/krb5.conf fixed the problem for me (tm), probably not the best solution, but works: permitted_enctypes = des-cbc-md5 It's probably better to set enable_weak_crypto=yes, does that work? I also exported ONLY the DES-CBC-MD5:NORMAL key for my sid host: kadmin.local: ktadd -k lib.keytab -e DES-CBC-MD5:NORMAL host/lib (probably not needed, but just to stay on the safe side) Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On 06/07/2011 07:01 PM, Luk Claes wrote: On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote: Adding the following line in the [libdefaults] section of /etc/krb5.conf fixed the problem for me (tm), probably not the best solution, but works: permitted_enctypes = des-cbc-md5 It's probably better to set enable_weak_crypto=yes, does that work? 'allow_weak_crypto = true', that is. I also exported ONLY the DES-CBC-MD5:NORMAL key for my sid host: kadmin.local: ktadd -k lib.keytab -e DES-CBC-MD5:NORMAL host/lib (probably not needed, but just to stay on the safe side) Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Luk == Luk Claes l...@debian.org writes: Luk On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote: Adding the following line in the [libdefaults] section of /etc/krb5.conf fixed the problem for me (tm), probably not the best solution, but works: permitted_enctypes = des-cbc-md5 Luk It's probably better to set enable_weak_crypto=yes, does that Luk work? Hi. I think I gave Luk the wrong setting. It's allow_weak_crypto = yes not enable_weak_crypto = yes. You should not have to set permitted_enctypes. Enabling weak_crypto and only setting the des-cbc-crc key with ktadd in kadmin is supposed to be sufficient. --Sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Tue, Jun 07, 2011 at 01:10:23PM -0400, Sam Hartman wrote: Luk == Luk Claes l...@debian.org writes: Luk On 06/06/2011 05:37 PM, Alberto Gonzalez Iniesta wrote: Adding the following line in the [libdefaults] section of /etc/krb5.conf fixed the problem for me (tm), probably not the best solution, but works: permitted_enctypes = des-cbc-md5 Luk It's probably better to set enable_weak_crypto=yes, does that Luk work? Hi. I think I gave Luk the wrong setting. It's allow_weak_crypto = yes not enable_weak_crypto = yes. You should not have to set permitted_enctypes. Enabling weak_crypto and only setting the des-cbc-crc key with ktadd in kadmin is supposed to be sufficient. I have both set: allow_weak_crypto=true permitted_enctypes = des-cbc-md5 And only the... wait I have des-cbc-md5 IIRC, not des-cbc-crc. I'll check that tomorrow. But it's not working after the last upgrade. When I posted yesterday I was running a sid versión from a couple of weeks ago. Probably 1.9, sorry can't remember now. Regards, Alberto -- Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred| http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On 04/10/2011 08:45 PM, Rico Rommel wrote: Am Sonntag, 10. April 2011, 20:09:36 schrieb Luk Claes: On 04/10/2011 06:10 PM, Rico Rommel wrote: Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings: On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote: I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and tried a rebuild using librpcsecgss3. But librpcsecgss3 conflicts with the now used libtirpc1, which provides ipv6 support to nfs. (as i understood) Does removing librpcsecgss3 solve the problem? No, it doesn't make any difference. librpcsecgss3 isn't used by nfs-common 1.2.3-2 What kernel version are you using on the clients? If you're not using sid's kernel, does upgrading to a recent kernel (and rebooting obviously) solve anything? If that also does not work, I guess we could prepare an upload containing support to limit the negotiated enctypes [1] to see if that helps. Cheers Luk [1] http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Am Montag, 11. April 2011, 18:28:45 schrieb Luk Claes: On 04/10/2011 08:45 PM, Rico Rommel wrote: Am Sonntag, 10. April 2011, 20:09:36 schrieb Luk Claes: On 04/10/2011 06:10 PM, Rico Rommel wrote: Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings: On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote: I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and tried a rebuild using librpcsecgss3. But librpcsecgss3 conflicts with the now used libtirpc1, which provides ipv6 support to nfs. (as i understood) Does removing librpcsecgss3 solve the problem? No, it doesn't make any difference. librpcsecgss3 isn't used by nfs-common 1.2.3-2 What kernel version are you using on the clients? If you're not using sid's kernel, does upgrading to a recent kernel (and rebooting obviously) solve anything? The clients are running 2.6.38-2 (amd64) from sid. signature.asc Description: This is a digitally signed message part.
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Package: nfs-common Version: 1:1.2.2-4 Severity: normal Tags: ipv6 After installing nfs-common 1:1.2.3-2 on clients (unstable) the nfs-kernel- server in squeeze denies access for kerberized nfs exports. syslog on the server (squeeze) gives: rpc.svcgssd[1049]: ERROR: prepare_krb5_rfc_cfx_buffer: not implemented rpc.svcgssd[1049]: ERROR: failed serializing krb5 context for kernel rpc.svcgssd[1049]: WARNING: handle_nullreq: serialize_context_for_kernel failed and qword_eol: fflush failed: errno 38 (Function not implemented) A workaround is to upgrade servers version of nfs-kernel-server and nfs-common to 1:1.2.3-2 and linux-image to 2.6.38, but these packages are not part of squeeze. -- System Information: Debian Release: wheezy/sid APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages nfs-common depends on: ii adduser 3.112+nmu2 add and remove users and groups ii initscripts 2.88dsf-13.1scripts for initializing and shutt ii libc62.11.2-13 Embedded GNU C Library: Shared lib ii libcap2 1:2.20-1support for getting/setting POSIX. ii libcomerr2 1.41.12-2 common error description library ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification ii libgssapi-krb5-2 1.9+dfsg-1 MIT Kerberos runtime libraries - k ii libgssglue1 0.2-2 mechanism-switch gssapi library ii libk5crypto3 1.9+dfsg-1 MIT Kerberos runtime libraries - C ii libkrb5-31.9+dfsg-1 MIT Kerberos runtime libraries ii libnfsidmap2 0.24-1 An nfs idmapping library ii librpcsecgss30.19-2 allows secure rpc communication us ii libwrap0 7.6.q-19Wietse Venema's TCP wrappers libra ii lsb-base 3.2-27 Linux Standard Base 3.2 init scrip ii netbase 4.45Basic TCP/IP networking system ii rpcbind [portmap]0.2.0-6 converts RPC program numbers into ii ucf 3.0025+nmu1 Update Configuration File: preserv nfs-common recommends no packages. nfs-common suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings: On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote: Package: nfs-common Version: 1:1.2.2-4 Severity: normal Tags: ipv6 [...] Why ipv6? Ben. I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and tried a rebuild using librpcsecgss3. But librpcsecgss3 conflicts with the now used libtirpc1, which provides ipv6 support to nfs. (as i understood) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote: Package: nfs-common Version: 1:1.2.2-4 Severity: normal Tags: ipv6 [...] Why ipv6? Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse. signature.asc Description: This is a digitally signed message part
Bug#622146: nfs-common: compatibility between squeeze and sid broken
On 04/10/2011 06:10 PM, Rico Rommel wrote: Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings: On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote: Package: nfs-common Version: 1:1.2.2-4 Severity: normal Tags: ipv6 [...] Why ipv6? Ben. I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and tried a rebuild using librpcsecgss3. But librpcsecgss3 conflicts with the now used libtirpc1, which provides ipv6 support to nfs. (as i understood) Does removing librpcsecgss3 solve the problem? Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#622146: nfs-common: compatibility between squeeze and sid broken
Am Sonntag, 10. April 2011, 20:09:36 schrieb Luk Claes: On 04/10/2011 06:10 PM, Rico Rommel wrote: Am Sonntag, 10. April 2011, 17:57:11 schrieb Ben Hutchings: On Sun, 2011-04-10 at 17:48 +0200, Rico Rommel wrote: Package: nfs-common Version: 1:1.2.2-4 Severity: normal Tags: ipv6 [...] Why ipv6? Ben. I noticed, that nfs-common doesn't depend on librpcsecgss3 anymore and tried a rebuild using librpcsecgss3. But librpcsecgss3 conflicts with the now used libtirpc1, which provides ipv6 support to nfs. (as i understood) Does removing librpcsecgss3 solve the problem? No, it doesn't make any difference. librpcsecgss3 isn't used by nfs-common 1.2.3-2 Rico signature.asc Description: This is a digitally signed message part.
