[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#622146: nfs-common: compatibility between squeeze and sid broken

>>>>> "Steve" == Steve Langasek <vorlon@debian.org> writes:

    Steve> Hi Sam, I've also run into this bug, in the context of
    Steve> preparing to update nfs-utils in Ubuntu for IPv6 support.  My
    Steve> NFS server is running squeeze, and updating causes the client
    Steve> and server to fail to negotiate as described.

Your nfs server is squeeze and your client was squeeze but is now more
than squeeze?

(substitute ubuntu releases with pre-ipv6 nfs-utils as appropriate for

R24603 in MIT upstream subversion.

See attached.

I'm happy to interact with SRM for the krb5 side of it.  However, the
bug as reported didn't seem to be this one because the server involved
was older than squeeze.

so I didn't actually have any users rrequesting a solution to a problem
I knew how to solve.  If you have a problem that this krb5 patch and the
mentioned nfs-utils patch solve then we definitely should propose a
backport to SRM.  I'll be happy to prepare krb5 packages.

>From 82affd78ac2c2b13bacf8e004f13f2d0dba5acea Mon Sep 17 00:00:00 2001
From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue, 25 Jan 2011 00:23:48 +0000
Subject: [PATCH] ticket: 6852
 subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
 target_version: 1.9.1
 tags: pullup

With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab.  If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation.  We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.

git-svn-id: svn://anonsvn.mit.edu/svn/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970
 src/lib/gssapi/krb5/accept_sec_context.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 9d40f68..c3cb2f1 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -623,6 +623,15 @@ kg_accept_krb5(minor_status, context_handle,
         goto fail;
+    /* Limit the encryption types negotiated (if requested). */
+    if (cred->req_enctypes) {
+        if ((code = krb5_set_default_tgs_enctypes(context,
+                                                  cred->req_enctypes))) {
+            major_status = GSS_S_FAILURE;
+            goto fail;
+        }
+    }
     if ((code = krb5_rd_req(context, &auth_context, &ap_req,
                             cred->default_identity ? NULL : cred->name->princ,

Reply to: