Bug#1068249: linux-image-6.1.0-18-amd64: ax201 iwlwifi driver creates millions of 'Unhandled alg: 0x33f0707' messages
Package: src:linux Version: 6.1.76-1 Severity: important Tags: upstream Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** The driver fills the eventlog with millions !!! of messages, see below. It otherwise works. The problem can be reproduced on different NUC systems. These are used as small servers, run a network bridge and hostapd. There is no evidence that the problem depends on hostapd. When the connection is idle the rate of reported errors goes down to a few 10 per second. A larger stream of data (2GByte or so) produces seveeral hundered tousand messages. * What led up to the situation? iwlwifi is loaded with parameters as described in the debian wiki for AX201 / Intel Nuc hardware: options iwlwifi 11n_disable=8 options iwlmvm power_scheme=1 without power_scheme it frequently drops connections, with power_scheme=1 it is stable. The effect of 11n_disable is unknown. * What exactly did you do (or not do) that was effective (or ineffective)? Needed to increase network message_cost to reduce logging: echo 128 > /proc/sys/net/core/message_cost * What was the outcome of this action? * What outcome did you expect instead? A driver that simply works. *** End of the template - remove these template lines *** -- Package-specific info: ** Version: Linux version 6.1.0-18-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) ** Command line: root=LABEL=alpha1_vol0 rootflags=subvol=/Volumes/Root-bookworm ro resume=alpha1_swap centauriswitch=static:apoint net.ifnames=0 mitigations=off security= quiet splash loglevel=3 ** Not tainted ** Kernel log: [30911.569896] BTRFS info (device sda4): disk space caching is enabled [30974.905443] net_ratelimit: 67420 callbacks suppressed [30974.905457] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.905728] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.906036] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.906356] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.906681] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.907014] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.907319] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.907576] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.908421] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [30974.908744] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.906916] net_ratelimit: 216171 callbacks suppressed [31102.906930] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.911063] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.911481] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.911817] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.912118] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.912434] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.912758] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.913054] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.913376] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31102.913728] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.911440] net_ratelimit: 221524 callbacks suppressed [31230.911453] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.911815] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.912192] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.912511] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.912895] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.913217] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.913562] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.913912] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.914255] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31230.915740] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.912228] net_ratelimit: 213726 callbacks suppressed [31358.912240] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.912554] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.912873] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.914335] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.914433] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.914948] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.915097] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.915459] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.915749] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31358.916034] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31486.915992] net_ratelimit: 205539 callbacks suppressed [31486.916005] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31486.923781] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31486.924153] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31486.924548] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31486.924860] iwlwifi :00:14.3: Unhandled alg: 0x33f0707 [31486.925252] iwlwifi :00:14.3: Unhandled alg: 0x33f0707
Bug#983508: nfs-common: Bullseys/Kernel 5.10 SAMBA AD/DC NFSv4 Kerberos Problem with rpc.gssd
Package: nfs-common Version: 1:1.3.4-2.5+deb10u1 Severity: important Tags: upstream Dear Maintainers There is a long standing bug (or wrong documentation) in rpc.gssd Probably debian uses an outdated version (new upstream version). I consider this bug as severe because it breaks backward compa- tibility since debian bullseye. It might affect most SAMBA AD/DC setups that were working with buster and fail with bulseye. PROBLEM The point is the nfs/... SPN (service principle name) that was historically used to fill the kerberos machine credential cache. The documentation explicitly states that rpc.gssd first tries the (windows) machine account $/... then a SPN (or UPN?) root/... then some others and FINALLY the nfs/... SPN. But this is wrong, only nfs/... is recognized. This creates a problem with SAMBA AD/DCs setups. Samba uses heimdal kerberos. A difference between heimdal and MIT are the SPNs. So in SAMBA you have to add a UPN (like the before mentioned root/...) and to attach the nfs/... SPN to the UPN. This is how it looks: samba-tool user create --random-password --gid-number=100 \ --gecos="nfs user" --unix-home=/tmp --login-shell=/usr/sbin/nologin \ root/myhost.centauri.home samba-tool user setexpiry --noexpiry root/myhost.centauri.home samba-tool spn add nfs/myhost.centauri.home root/myhost.centauri.home The exported keytab works fine (until kernel 5.9) and allows NFS4 with kerberos security: samba-tool domain exportkeytab xxx.keytab --principal MYHOST$ samba-tool domain exportkeytab xxx.keytab --principal root/myhost.centauri.home samba-tool domain exportkeytab xxx.keytab --principal nfs/myhost.centauri.home But as nfs/... SPN seems to be historic SAMBA only exports weak encryption keys for nfs/... whereas the machine account and the root/... UPN have strong encryption: klist -e -k /etc/krb5.keytab.old Keytab name: FILE:/etc/krb5.keytab.old KVNO Principal -- 1 alpha1$@CENTAURI.HOME (aes256-cts-hmac-sha1-96) 1 alpha1$@CENTAURI.HOME (aes128-cts-hmac-sha1-96) 1 alpha1$@CENTAURI.HOME (arcfour-hmac) 1 alpha1$@CENTAURI.HOME (des-cbc-md5) 1 alpha1$@CENTAURI.HOME (des-cbc-crc) 2 root/alpha1.centauri.h...@centauri.home (aes256-cts-hmac-sha1-96) 2 root/alpha1.centauri.h...@centauri.home (aes128-cts-hmac-sha1-96) 2 root/alpha1.centauri.h...@centauri.home (arcfour-hmac) 2 root/alpha1.centauri.h...@centauri.home (des-cbc-md5) 2 root/alpha1.centauri.h...@centauri.home (des-cbc-crc) 2 nfs/alpha1.centauri.h...@centauri.home (arcfour-hmac) 2 nfs/alpha1.centauri.h...@centauri.home (des-cbc-md5) 2 nfs/alpha1.centauri.h...@centauri.home (des-cbc-crc) SOLUTION This was OK until kernel 5.9 only. Since 5.10 somebody disabled weak encrytion in the kernel part of GSSAPI. Now debian's old rpc.gssd fails. Probably creating a security problem as NFS mount now tries NFS 3 (without kerberos). The SAMBA documentation explains the SAMBA behaviour here: https://wiki.samba.org/index.php/Generating_Keytabs The solution is to explicitly set the supported encryption for the root/... UPN: net ads enctypes set root/myhost.centauri.home 31 A newly created keytab now contains the required encryptions for the nfs/... SPN. And now NFS4 works with 5.10 / bullseye. CONCLUSION The NFS4 / SAMBA / KERBEROS setup is extremly complacated, debian's rpc.gssd is outdated or buggy and someone tried to improve security by removing something from the kernel. NFS mounts on bullseye systems may fall back to NFS3 without kerberos. Not good. PLEASE Give users a hint, a usefull error message, or fix rpc.gssd It took me a long time to indentify the reported problem and I am thankfull for a hint that I found in the univention bug tracker. Yours Jürgen -- Package-specific info: -- rpcinfo -- program vers proto port service 104 tcp111 portmapper 103 tcp111 portmapper 102 tcp111 portmapper 104 udp111 portmapper 103 udp111 portmapper 102 udp111 portmapper -- /etc/default/nfs-common -- NEED_STATD=no STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes -- /etc/idmapd.conf -- [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs Domain = centauri.home [Mapping] Nobody-User = nobody Nobody-Group = nogroup -- /etc/fstab -- -- System Information: Debian Release: 10.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-0.bpo.4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nfs-common depends on: ii adduser 3.118 ii keyutils1.6-6 ii libc6 2.28-10
Bug#403782: linux-source-2.6.18: realtek 8169 slow (slower than ubuntu)
Package: linux-source-2.6.18 Version: 2.6.18-8 Severity: normal Hi, the kernel I use is built from debian source and 2.6.18-8 patches are applied. The r8169 is on a dlink pci card in a SIS 671 system with a 2.4 GHz P4 CPU. Symptom: Download speed is ok (25 MB/s) but Upload, e.g. the send speed at maximum reaches 13 MB/s. This does not happend under Ubuntu 6.10 where I get 25 MB/s in both directions. You might be amused to read that the 50% send speed reduction also comes for free with window 2003 (driver from dlink cd). Cables and Hub are ok and were checked against other computers. I remember that there was a similar bug report a while ago that got closed. Please merge and reopen. Yours Juergen -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-8-sis Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]