reassign 622146 nfs-kernel-server,src:krb5 found 622146 nfs-kernel-server/1:1.2.2-4 found 622146 src:krb5/1.8.3+dfsg-4 fixed 622146 nfs-kernel-server/1:1.2.4-1 fixed 622146 src:krb5/1.9.1+dfsg-1 tags 622146 patch thanks On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote: > I don't have checkouts handy, but my strong suspicion is that if someone > is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and > there isn't an argument slot, you can leave it off. > gss_c_nt_hostbased_service has always been the default for gssd. Ok, thanks. I've built packages of nfs-utils and krb5 using the referenced backported patches, and can confirm that I'm now able to connect successfully from an nfs-utils 1.2.4 client without having to set permitted_enctypes on the server. I've attached the patches for both packages to this mail. Phil, is it ok for these to be uploaded to stable-proposed-updates? This fixes a bug that makes squeeze kerberized NFS servers unusable with newer clients (e.g., wheezy). Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze2) stable-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Pull R24603 in MIT upstream subversion to fix support for NFS servers
+ on kernels that only support DES. Closes: #622146.
+
+ -- Steve Langasek <vorlon@debian.org> Fri, 22 Jul 2011 05:07:02 -0700
+
krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low
* Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/lib/gssapi/krb5/accept_sec_context.c
+++ krb5-1.8.3+dfsg/src/lib/gssapi/krb5/accept_sec_context.c
@@ -583,6 +583,15 @@
goto fail;
}
+ /* Limit the encryption types negotiated (if requested). */
+ if (cred->req_enctypes) {
+ if ((code = krb5_set_default_tgs_enctypes(context,
+ cred->req_enctypes))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
if ((code = krb5_rd_req(context, &auth_context, &ap_req,
cred->default_identity ? NULL : cred->name->princ,
cred->keytab,
diff -Nru nfs-utils-1.2.2/debian/changelog nfs-utils-1.2.2/debian/changelog
--- nfs-utils-1.2.2/debian/changelog 2010-08-26 16:11:45.000000000 -0700
+++ nfs-utils-1.2.2/debian/changelog 2011-08-01 01:28:03.000000000 -0700
@@ -1,3 +1,11 @@
+nfs-utils (1:1.2.2-4squeeze1) stable-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
+ for bug #622146.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 19 Jul 2011 20:54:17 +0000
+
nfs-utils (1:1.2.2-4) unstable; urgency=low
* mountd: fix path comparison for v4 crossmnt (Closes: #578317)
diff -Nru nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch
--- nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch 1969-12-31 16:00:00.000000000 -0800
+++ nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch 2011-08-01 01:33:21.000000000 -0700
@@ -0,0 +1,413 @@
+Description: Upstream changes introduced in version 1:1.2.2-4.1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ nfs-utils (1:1.2.2-4.1) UNRELEASED; urgency=low
+ .
+ * Non-maintainer upload.
+ * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
+ for bug #622146.
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- /dev/null
++++ nfs-utils-1.2.2/utils/gssd/svcgssd_krb5.c
+@@ -0,0 +1,200 @@
++/*
++ * COPYRIGHT (c) 2011
++ * The Regents of the University of Michigan
++ * ALL RIGHTS RESERVED
++ *
++ * Permission is granted to use, copy, create derivative works
++ * and redistribute this software and such derivative works
++ * for any purpose, so long as the name of The University of
++ * Michigan is not used in any advertising or publicity
++ * pertaining to the use of distribution of this software
++ * without specific, written prior authorization. If the
++ * above copyright notice or any other identification of the
++ * University of Michigan is included in any copy of any
++ * portion of this software, then the disclaimer below must
++ * also be included.
++ *
++ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
++ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
++ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
++ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
++ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
++ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
++ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
++ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
++ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
++ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGES.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif /* HAVE_CONFIG_H */
++
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif
++
++#include <stdio.h>
++#include <errno.h>
++#include <gssapi/gssapi.h>
++#include <krb5.h>
++
++#include "gss_util.h"
++#include "gss_oids.h"
++#include "err_util.h"
++#include "svcgssd_krb5.h"
++
++#define MYBUFLEN 1024
++
++char *supported_enctypes_filename = "/proc/fs/nfsd/supported_krb5_enctypes";
++int parsed_num_enctypes = 0;
++krb5_enctype *parsed_enctypes = NULL;
++char *cached_enctypes = NULL;
++
++/*==========================*/
++/*=== Internal routines ===*/
++/*==========================*/
++
++/*
++ * Parse the supported encryption type information
++ */
++static int
++parse_enctypes(char *enctypes)
++{
++ int n = 0;
++ char *curr, *comma;
++ int i;
++
++ /* Don't parse the same string over and over... */
++ if (cached_enctypes && strcmp(cached_enctypes, enctypes) == 0)
++ return 0;
++
++ /* Free any existing cached_enctypes */
++ free(cached_enctypes);
++
++ if (parsed_enctypes != NULL) {
++ free(parsed_enctypes);
++ parsed_enctypes = NULL;
++ parsed_num_enctypes = 0;
++ }
++
++ /* count the number of commas */
++ for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) {
++ comma = strchr(curr, ',');
++ if (comma != NULL)
++ n++;
++ else
++ break;
++ }
++
++ /* If no more commas and we're not at the end, there's one more value */
++ if (*curr != '\0')
++ n++;
++
++ /* Empty string, return an error */
++ if (n == 0)
++ return ENOENT;
++
++ /* Allocate space for enctypes array */
++ if ((parsed_enctypes = (int *) calloc(n, sizeof(int))) == NULL) {
++ return ENOMEM;
++ }
++
++ /* Now parse each value into the array */
++ for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) {
++ parsed_enctypes[i++] = atoi(curr);
++ comma = strchr(curr, ',');
++ if (comma == NULL)
++ break;
++ }
++
++ parsed_num_enctypes = n;
++ if ((cached_enctypes = malloc(strlen(enctypes)+1)))
++ strcpy(cached_enctypes, enctypes);
++
++ return 0;
++}
++
++static void
++get_kernel_supported_enctypes(void)
++{
++ FILE *s_e;
++ int ret;
++ char buffer[MYBUFLEN + 1];
++
++ memset(buffer, '\0', sizeof(buffer));
++
++ s_e = fopen(supported_enctypes_filename, "r");
++ if (s_e == NULL)
++ goto out_clean_parsed;
++
++ ret = fread(buffer, 1, MYBUFLEN, s_e);
++ if (ret < 0) {
++ fclose(s_e);
++ goto out_clean_parsed;
++ }
++ fclose(s_e);
++ if (parse_enctypes(buffer)) {
++ goto out_clean_parsed;
++ }
++out:
++ return;
++
++out_clean_parsed:
++ if (parsed_enctypes != NULL) {
++ free(parsed_enctypes);
++ parsed_num_enctypes = 0;
++ }
++ goto out;
++}
++
++/*==========================*/
++/*=== External routines ===*/
++/*==========================*/
++
++/*
++ * Get encryption types supported by the kernel, and then
++ * call gss_krb5_set_allowable_enctypes() to limit the
++ * encryption types negotiated.
++ *
++ * Returns:
++ * 0 => all went well
++ * -1 => there was an error
++ */
++
++int
++svcgssd_limit_krb5_enctypes(void)
++{
++#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
++ u_int maj_stat, min_stat;
++ krb5_enctype default_enctypes[] = { ENCTYPE_DES_CBC_CRC,
++ ENCTYPE_DES_CBC_MD5,
++ ENCTYPE_DES_CBC_MD4 };
++ int default_num_enctypes =
++ sizeof(default_enctypes) / sizeof(default_enctypes[0]);
++ krb5_enctype *enctypes;
++ int num_enctypes;
++
++ get_kernel_supported_enctypes();
++
++ if (parsed_enctypes != NULL) {
++ enctypes = parsed_enctypes;
++ num_enctypes = parsed_num_enctypes;
++ } else {
++ enctypes = default_enctypes;
++ num_enctypes = default_num_enctypes;
++ }
++
++ maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds,
++ &krb5oid, num_enctypes, enctypes);
++ if (maj_stat != GSS_S_COMPLETE) {
++ printerr(1, "WARNING: gss_set_allowable_enctypes failed\n");
++ pgsserr("svcgssd_limit_krb5_enctypes: gss_set_allowable_enctypes",
++ maj_stat, min_stat, &krb5oid);
++ return -1;
++ }
++#endif
++ return 0;
++}
+--- nfs-utils-1.2.2.orig/utils/gssd/Makefile.in
++++ nfs-utils-1.2.2/utils/gssd/Makefile.in
+@@ -93,7 +93,7 @@ am__objects_2 = svcgssd-context.$(OBJEXT
+ am_svcgssd_OBJECTS = $(am__objects_2) svcgssd-svcgssd.$(OBJEXT) \
+ svcgssd-svcgssd_main_loop.$(OBJEXT) \
+ svcgssd-svcgssd_mech2file.$(OBJEXT) \
+- svcgssd-svcgssd_proc.$(OBJEXT)
++ svcgssd-svcgssd_proc.$(OBJEXT) svcgssd-svcgssd_krb5.$(OBJEXT)
+ svcgssd_OBJECTS = $(am_svcgssd_OBJECTS)
+ svcgssd_DEPENDENCIES = ../../support/nfs/libnfs.a \
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+@@ -228,6 +228,7 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+ PACKAGE_NAME = @PACKAGE_NAME@
+ PACKAGE_STRING = @PACKAGE_STRING@
+ PACKAGE_TARNAME = @PACKAGE_TARNAME@
++PACKAGE_URL = @PACKAGE_URL@
+ PACKAGE_VERSION = @PACKAGE_VERSION@
+ PATH_SEPARATOR = @PATH_SEPARATOR@
+ PKG_CONFIG = @PKG_CONFIG@
+@@ -354,7 +355,9 @@ svcgssd_SOURCES = \
+ svcgssd_main_loop.c \
+ svcgssd_mech2file.c \
+ svcgssd_proc.c \
++ svcgssd_krb5.c \
+ \
++ svcgssd_krb5.h \
+ svcgssd.h
+
+ svcgssd_LDADD = \
+@@ -520,6 +523,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-gss_oids.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-gss_util.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_krb5.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_main_loop.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_mech2file.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_proc.Po@am__quote@
+@@ -895,6 +899,20 @@ svcgssd-svcgssd_proc.obj: svcgssd_proc.c
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_proc.obj `if test -f 'svcgssd_proc.c'; then $(CYGPATH_W) 'svcgssd_proc.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_proc.c'; fi`
+
++svcgssd-svcgssd_krb5.o: svcgssd_krb5.c
++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -MT svcgssd-svcgssd_krb5.o -MD -MP -MF $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo -c -o svcgssd-svcgssd_krb5.o `test -f 'svcgssd_krb5.c' || echo '$(srcdir)/'`svcgssd_krb5.c
++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo $(DEPDIR)/svcgssd-svcgssd_krb5.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='svcgssd_krb5.c' object='svcgssd-svcgssd_krb5.o' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_krb5.o `test -f 'svcgssd_krb5.c' || echo '$(srcdir)/'`svcgssd_krb5.c
++
++svcgssd-svcgssd_krb5.obj: svcgssd_krb5.c
++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -MT svcgssd-svcgssd_krb5.obj -MD -MP -MF $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo -c -o svcgssd-svcgssd_krb5.obj `if test -f 'svcgssd_krb5.c'; then $(CYGPATH_W) 'svcgssd_krb5.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_krb5.c'; fi`
++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo $(DEPDIR)/svcgssd-svcgssd_krb5.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='svcgssd_krb5.c' object='svcgssd-svcgssd_krb5.obj' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_krb5.obj `if test -f 'svcgssd_krb5.c'; then $(CYGPATH_W) 'svcgssd_krb5.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_krb5.c'; fi`
++
+ mostlyclean-libtool:
+ -rm -f *.lo
+
+--- nfs-utils-1.2.2.orig/utils/gssd/Makefile.am
++++ nfs-utils-1.2.2/utils/gssd/Makefile.am
+@@ -51,7 +51,9 @@ svcgssd_SOURCES = \
+ svcgssd_main_loop.c \
+ svcgssd_mech2file.c \
+ svcgssd_proc.c \
++ svcgssd_krb5.c \
+ \
++ svcgssd_krb5.h \
+ svcgssd.h
+
+ svcgssd_LDADD = \
+--- nfs-utils-1.2.2.orig/utils/gssd/svcgssd_proc.c
++++ nfs-utils-1.2.2/utils/gssd/svcgssd_proc.c
+@@ -57,6 +57,7 @@
+ #include "err_util.h"
+ #include "context.h"
+ #include "gss_oids.h"
++#include "svcgssd_krb5.h"
+
+ extern char * mech2file(gss_OID mech);
+ #define SVCGSSD_CONTEXT_CHANNEL "/proc/net/rpc/auth.rpcsec.context/channel"
+@@ -449,6 +450,10 @@ handle_nullreq(FILE *f) {
+ memcpy(&ctx, in_handle.value, in_handle.length);
+ }
+
++ if (svcgssd_limit_krb5_enctypes()) {
++ goto out_err;
++ }
++
+ maj_stat = gss_accept_sec_context(&min_stat, &ctx, gssd_creds,
+ &in_tok, GSS_C_NO_CHANNEL_BINDINGS, &client_name,
+ &mech, &out_tok, &ret_flags, NULL, NULL);
+--- /dev/null
++++ nfs-utils-1.2.2/utils/gssd/svcgssd_krb5.h
+@@ -0,0 +1,36 @@
++/*
++ * COPYRIGHT (c) 2011
++ * The Regents of the University of Michigan
++ * ALL RIGHTS RESERVED
++ *
++ * Permission is granted to use, copy, create derivative works
++ * and redistribute this software and such derivative works
++ * for any purpose, so long as the name of The University of
++ * Michigan is not used in any advertising or publicity
++ * pertaining to the use of distribution of this software
++ * without specific, written prior authorization. If the
++ * above copyright notice or any other identification of the
++ * University of Michigan is included in any copy of any
++ * portion of this software, then the disclaimer below must
++ * also be included.
++ *
++ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
++ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
++ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
++ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
++ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
++ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
++ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
++ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
++ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
++ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGES.
++ */
++
++#ifndef SVCGSSD_KRB5_H
++#define SVCGSSD_KRB5_H
++
++int svcgssd_limit_krb5_enctypes(void);
++
++#endif /* SVCGSSD_KRB5_H */
+--- nfs-utils-1.2.2.orig/utils/gssd/gss_util.c
++++ nfs-utils-1.2.2/utils/gssd/gss_util.c
+@@ -199,20 +199,25 @@ gssd_acquire_cred(char *server_name)
+ u_int32_t ignore_maj_stat, ignore_min_stat;
+ gss_buffer_desc pbuf;
+
+- name.value = (void *)server_name;
+- name.length = strlen(server_name);
++ /* If server_name is NULL, get cred for GSS_C_NO_NAME */
++ if (server_name == NULL) {
++ target_name = GSS_C_NO_NAME;
++ } else {
++ name.value = (void *)server_name;
++ name.length = strlen(server_name);
+
+- maj_stat = gss_import_name(&min_stat, &name,
+- (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
+- &target_name);
++ maj_stat = gss_import_name(&min_stat, &name,
++ (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
++ &target_name);
+
+- if (maj_stat != GSS_S_COMPLETE) {
+- pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid);
+- return (FALSE);
++ if (maj_stat != GSS_S_COMPLETE) {
++ pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid);
++ return (FALSE);
++ }
+ }
+
+- maj_stat = gss_acquire_cred(&min_stat, target_name, 0,
+- GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
++ maj_stat = gss_acquire_cred(&min_stat, target_name, GSS_C_INDEFINITE,
++ GSS_C_NO_OID_SET, GSS_C_ACCEPT,
+ &gssd_creds, NULL, NULL);
+
+ if (maj_stat != GSS_S_COMPLETE) {
+--- nfs-utils-1.2.2.orig/utils/gssd/svcgssd.c
++++ nfs-utils-1.2.2/utils/gssd/svcgssd.c
+@@ -127,6 +127,12 @@ mydaemon(int nochdir, int noclose)
+ "(%s)\n", errno, strerror(errno));
+ exit(1);
+ }
++ } else {
++ status = gssd_acquire_cred(NULL);
++ if (status == FALSE) {
++ printerr(0, "unable to obtain nameless credentials\n");
++ exit(1);
++ }
+ }
+
+ return;
diff -Nru nfs-utils-1.2.2/debian/patches/series nfs-utils-1.2.2/debian/patches/series
--- nfs-utils-1.2.2/debian/patches/series 2010-08-26 16:14:25.000000000 -0700
+++ nfs-utils-1.2.2/debian/patches/series 2011-08-01 01:30:53.000000000 -0700
@@ -7,3 +7,4 @@
13-preserve-explicit-port-2049.patch
14-allow-address-without-name.patch
15-mountd-fix-path-comparison-for-v4-crossmnt.patch
+16-negotiate-des-only.patch
Attachment:
signature.asc
Description: Digital signature