Re: nfs-common: compatibility between squeeze and sid broken

To: Sam Hartman <hartmans@debian.org>
Cc: 622146@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: nfs-common: compatibility between squeeze and sid broken
From: Steve Langasek <vorlon@debian.org>
Date: Mon, 1 Aug 2011 01:34:34 -0700
Message-id: <[🔎] 20110801083433.GB4063@virgil.dodds.net>
Mail-followup-to: Steve Langasek <vorlon@debian.org>, Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org, debian-release@lists.debian.org
In-reply-to: <tslpql67xrp.fsf@mit.edu>
References: <20110719174040.GB7588@virgil.dodds.net> <tsl4o2iazqv.fsf@mit.edu> <20110719211902.GF7588@virgil.dodds.net> <tslpql67xrp.fsf@mit.edu>

reassign 622146 nfs-kernel-server,src:krb5
found 622146 nfs-kernel-server/1:1.2.2-4
found 622146 src:krb5/1.8.3+dfsg-4
fixed 622146 nfs-kernel-server/1:1.2.4-1
fixed 622146 src:krb5/1.9.1+dfsg-1
tags 622146 patch
thanks

On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote:
> I don't have checkouts handy, but my strong suspicion is that if someone
> is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and
> there isn't an argument slot, you can leave it off.
> gss_c_nt_hostbased_service has always been the default for gssd.

Ok, thanks.  I've built packages of nfs-utils and krb5 using the referenced
backported patches, and can confirm that I'm now able to connect
successfully from an nfs-utils 1.2.4 client without having to set
permitted_enctypes on the server.

I've attached the patches for both packages to this mail.  Phil, is it ok
for these to be uploaded to stable-proposed-updates?  This fixes a bug that
makes squeeze kerberized NFS servers unusable with newer clients (e.g.,
wheezy).

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze2) stable-proposed-updates; urgency=low
+
+  * Non-maintainer upload.
+  * Pull R24603 in MIT upstream subversion to fix support for NFS servers
+    on kernels that only support DES.  Closes: #622146.
+
+ -- Steve Langasek <vorlon@debian.org>  Fri, 22 Jul 2011 05:07:02 -0700
+
 krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low
 
   * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/lib/gssapi/krb5/accept_sec_context.c
+++ krb5-1.8.3+dfsg/src/lib/gssapi/krb5/accept_sec_context.c
@@ -583,6 +583,15 @@
         goto fail;
     }
 
+    /* Limit the encryption types negotiated (if requested). */
+    if (cred->req_enctypes) {
+        if ((code = krb5_set_default_tgs_enctypes(context,
+                                                  cred->req_enctypes))) {
+            major_status = GSS_S_FAILURE;
+            goto fail;
+        }
+    }
+
     if ((code = krb5_rd_req(context, &auth_context, &ap_req,
                             cred->default_identity ? NULL : cred->name->princ,
                             cred->keytab,

diff -Nru nfs-utils-1.2.2/debian/changelog nfs-utils-1.2.2/debian/changelog
--- nfs-utils-1.2.2/debian/changelog	2010-08-26 16:11:45.000000000 -0700
+++ nfs-utils-1.2.2/debian/changelog	2011-08-01 01:28:03.000000000 -0700
@@ -1,3 +1,11 @@
+nfs-utils (1:1.2.2-4squeeze1) stable-proposed-updates; urgency=low
+
+  * Non-maintainer upload.
+  * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
+    for bug #622146.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 19 Jul 2011 20:54:17 +0000
+
 nfs-utils (1:1.2.2-4) unstable; urgency=low
 
   * mountd: fix path comparison for v4 crossmnt (Closes: #578317)
diff -Nru nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch
--- nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch	1969-12-31 16:00:00.000000000 -0800
+++ nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch	2011-08-01 01:33:21.000000000 -0700
@@ -0,0 +1,413 @@
+Description: Upstream changes introduced in version 1:1.2.2-4.1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ nfs-utils (1:1.2.2-4.1) UNRELEASED; urgency=low
+ .
+   * Non-maintainer upload.
+   * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream
+     for bug #622146.
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- /dev/null
++++ nfs-utils-1.2.2/utils/gssd/svcgssd_krb5.c
+@@ -0,0 +1,200 @@
++/*
++ * COPYRIGHT (c) 2011
++ * The Regents of the University of Michigan
++ * ALL RIGHTS RESERVED
++ *
++ * Permission is granted to use, copy, create derivative works
++ * and redistribute this software and such derivative works
++ * for any purpose, so long as the name of The University of
++ * Michigan is not used in any advertising or publicity
++ * pertaining to the use of distribution of this software
++ * without specific, written prior authorization.  If the
++ * above copyright notice or any other identification of the
++ * University of Michigan is included in any copy of any
++ * portion of this software, then the disclaimer below must
++ * also be included.
++ *
++ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
++ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
++ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
++ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
++ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
++ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
++ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
++ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
++ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
++ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGES.
++ */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif	/* HAVE_CONFIG_H */
++
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif
++
++#include <stdio.h>
++#include <errno.h>
++#include <gssapi/gssapi.h>
++#include <krb5.h>
++
++#include "gss_util.h"
++#include "gss_oids.h"
++#include "err_util.h"
++#include "svcgssd_krb5.h"
++
++#define MYBUFLEN 1024
++
++char *supported_enctypes_filename = "/proc/fs/nfsd/supported_krb5_enctypes";
++int parsed_num_enctypes = 0;
++krb5_enctype *parsed_enctypes = NULL;
++char *cached_enctypes = NULL;
++
++/*==========================*/
++/*===  Internal routines ===*/
++/*==========================*/
++
++/*
++ * Parse the supported encryption type information
++ */
++static int
++parse_enctypes(char *enctypes)
++{
++	int n = 0;
++	char *curr, *comma;
++	int i;
++
++	/* Don't parse the same string over and over... */
++	if (cached_enctypes && strcmp(cached_enctypes, enctypes) == 0)
++		return 0;
++
++	/* Free any existing cached_enctypes */
++	free(cached_enctypes);
++
++	if (parsed_enctypes != NULL) {
++		free(parsed_enctypes);
++		parsed_enctypes = NULL;
++		parsed_num_enctypes = 0;
++	}
++
++	/* count the number of commas */
++	for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) {
++		comma = strchr(curr, ',');
++		if (comma != NULL)
++			n++;
++		else
++			break;
++	}
++
++	/* If no more commas and we're not at the end, there's one more value */
++	if (*curr != '\0')
++		n++;
++
++	/* Empty string, return an error */
++	if (n == 0)
++		return ENOENT;
++
++	/* Allocate space for enctypes array */
++	if ((parsed_enctypes = (int *) calloc(n, sizeof(int))) == NULL) {
++		return ENOMEM;
++	}
++
++	/* Now parse each value into the array */
++	for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) {
++		parsed_enctypes[i++] = atoi(curr);
++		comma = strchr(curr, ',');
++		if (comma == NULL)
++			break;
++	}
++
++	parsed_num_enctypes = n;
++	if ((cached_enctypes = malloc(strlen(enctypes)+1)))
++		strcpy(cached_enctypes, enctypes);
++
++	return 0;
++}
++
++static void
++get_kernel_supported_enctypes(void)
++{
++	FILE *s_e;
++	int ret;
++	char buffer[MYBUFLEN + 1];
++
++	memset(buffer, '\0', sizeof(buffer));
++
++	s_e = fopen(supported_enctypes_filename, "r");
++	if (s_e == NULL)
++		goto out_clean_parsed;
++
++	ret = fread(buffer, 1, MYBUFLEN, s_e);
++	if (ret < 0) {
++		fclose(s_e);
++		goto out_clean_parsed;
++	}
++	fclose(s_e);
++	if (parse_enctypes(buffer)) {
++		goto out_clean_parsed;
++	}
++out:
++	return;
++
++out_clean_parsed:
++	if (parsed_enctypes != NULL) {
++		free(parsed_enctypes);
++		parsed_num_enctypes = 0;
++	}
++	goto out;
++}
++
++/*==========================*/
++/*===  External routines ===*/
++/*==========================*/
++
++/*
++ * Get encryption types supported by the kernel, and then
++ * call gss_krb5_set_allowable_enctypes() to limit the
++ * encryption types negotiated.
++ *
++ * Returns:
++ *	0 => all went well
++ *     -1 => there was an error
++ */
++
++int
++svcgssd_limit_krb5_enctypes(void)
++{
++#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
++	u_int maj_stat, min_stat;
++	krb5_enctype default_enctypes[] = { ENCTYPE_DES_CBC_CRC,
++					    ENCTYPE_DES_CBC_MD5,
++					    ENCTYPE_DES_CBC_MD4 };
++	int default_num_enctypes =
++		sizeof(default_enctypes) / sizeof(default_enctypes[0]);
++	krb5_enctype *enctypes;
++	int num_enctypes;
++
++	get_kernel_supported_enctypes();
++
++	if (parsed_enctypes != NULL) {
++		enctypes = parsed_enctypes;
++		num_enctypes = parsed_num_enctypes;
++	} else {
++		enctypes = default_enctypes;
++		num_enctypes = default_num_enctypes;
++	}
++
++	maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds,
++			&krb5oid, num_enctypes, enctypes);
++	if (maj_stat != GSS_S_COMPLETE) {
++		printerr(1, "WARNING: gss_set_allowable_enctypes failed\n");
++		pgsserr("svcgssd_limit_krb5_enctypes: gss_set_allowable_enctypes",
++			maj_stat, min_stat, &krb5oid);
++		return -1;
++	}
++#endif
++	return 0;
++}
+--- nfs-utils-1.2.2.orig/utils/gssd/Makefile.in
++++ nfs-utils-1.2.2/utils/gssd/Makefile.in
+@@ -93,7 +93,7 @@ am__objects_2 = svcgssd-context.$(OBJEXT
+ am_svcgssd_OBJECTS = $(am__objects_2) svcgssd-svcgssd.$(OBJEXT) \
+ 	svcgssd-svcgssd_main_loop.$(OBJEXT) \
+ 	svcgssd-svcgssd_mech2file.$(OBJEXT) \
+-	svcgssd-svcgssd_proc.$(OBJEXT)
++	svcgssd-svcgssd_proc.$(OBJEXT) svcgssd-svcgssd_krb5.$(OBJEXT)
+ svcgssd_OBJECTS = $(am_svcgssd_OBJECTS)
+ svcgssd_DEPENDENCIES = ../../support/nfs/libnfs.a \
+ 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+@@ -228,6 +228,7 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+ PACKAGE_NAME = @PACKAGE_NAME@
+ PACKAGE_STRING = @PACKAGE_STRING@
+ PACKAGE_TARNAME = @PACKAGE_TARNAME@
++PACKAGE_URL = @PACKAGE_URL@
+ PACKAGE_VERSION = @PACKAGE_VERSION@
+ PATH_SEPARATOR = @PATH_SEPARATOR@
+ PKG_CONFIG = @PKG_CONFIG@
+@@ -354,7 +355,9 @@ svcgssd_SOURCES = \
+ 	svcgssd_main_loop.c \
+ 	svcgssd_mech2file.c \
+ 	svcgssd_proc.c \
++	svcgssd_krb5.c \
+ 	\
++	svcgssd_krb5.h \
+ 	svcgssd.h
+ 
+ svcgssd_LDADD = \
+@@ -520,6 +523,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-gss_oids.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-gss_util.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_krb5.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_main_loop.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_mech2file.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_proc.Po@am__quote@
+@@ -895,6 +899,20 @@ svcgssd-svcgssd_proc.obj: svcgssd_proc.c
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_proc.obj `if test -f 'svcgssd_proc.c'; then $(CYGPATH_W) 'svcgssd_proc.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_proc.c'; fi`
+ 
++svcgssd-svcgssd_krb5.o: svcgssd_krb5.c
++@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -MT svcgssd-svcgssd_krb5.o -MD -MP -MF $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo -c -o svcgssd-svcgssd_krb5.o `test -f 'svcgssd_krb5.c' || echo '$(srcdir)/'`svcgssd_krb5.c
++@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo $(DEPDIR)/svcgssd-svcgssd_krb5.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='svcgssd_krb5.c' object='svcgssd-svcgssd_krb5.o' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_krb5.o `test -f 'svcgssd_krb5.c' || echo '$(srcdir)/'`svcgssd_krb5.c
++
++svcgssd-svcgssd_krb5.obj: svcgssd_krb5.c
++@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -MT svcgssd-svcgssd_krb5.obj -MD -MP -MF $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo -c -o svcgssd-svcgssd_krb5.obj `if test -f 'svcgssd_krb5.c'; then $(CYGPATH_W) 'svcgssd_krb5.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_krb5.c'; fi`
++@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo $(DEPDIR)/svcgssd-svcgssd_krb5.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='svcgssd_krb5.c' object='svcgssd-svcgssd_krb5.obj' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_krb5.obj `if test -f 'svcgssd_krb5.c'; then $(CYGPATH_W) 'svcgssd_krb5.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_krb5.c'; fi`
++
+ mostlyclean-libtool:
+ 	-rm -f *.lo
+ 
+--- nfs-utils-1.2.2.orig/utils/gssd/Makefile.am
++++ nfs-utils-1.2.2/utils/gssd/Makefile.am
+@@ -51,7 +51,9 @@ svcgssd_SOURCES = \
+ 	svcgssd_main_loop.c \
+ 	svcgssd_mech2file.c \
+ 	svcgssd_proc.c \
++	svcgssd_krb5.c \
+ 	\
++	svcgssd_krb5.h \
+ 	svcgssd.h
+ 
+ svcgssd_LDADD = \
+--- nfs-utils-1.2.2.orig/utils/gssd/svcgssd_proc.c
++++ nfs-utils-1.2.2/utils/gssd/svcgssd_proc.c
+@@ -57,6 +57,7 @@
+ #include "err_util.h"
+ #include "context.h"
+ #include "gss_oids.h"
++#include "svcgssd_krb5.h"
+ 
+ extern char * mech2file(gss_OID mech);
+ #define SVCGSSD_CONTEXT_CHANNEL "/proc/net/rpc/auth.rpcsec.context/channel"
+@@ -449,6 +450,10 @@ handle_nullreq(FILE *f) {
+ 		memcpy(&ctx, in_handle.value, in_handle.length);
+ 	}
+ 
++	if (svcgssd_limit_krb5_enctypes()) {
++		goto out_err;
++	}
++
+ 	maj_stat = gss_accept_sec_context(&min_stat, &ctx, gssd_creds,
+ 			&in_tok, GSS_C_NO_CHANNEL_BINDINGS, &client_name,
+ 			&mech, &out_tok, &ret_flags, NULL, NULL);
+--- /dev/null
++++ nfs-utils-1.2.2/utils/gssd/svcgssd_krb5.h
+@@ -0,0 +1,36 @@
++/*
++ * COPYRIGHT (c) 2011
++ * The Regents of the University of Michigan
++ * ALL RIGHTS RESERVED
++ *
++ * Permission is granted to use, copy, create derivative works
++ * and redistribute this software and such derivative works
++ * for any purpose, so long as the name of The University of
++ * Michigan is not used in any advertising or publicity
++ * pertaining to the use of distribution of this software
++ * without specific, written prior authorization.  If the
++ * above copyright notice or any other identification of the
++ * University of Michigan is included in any copy of any
++ * portion of this software, then the disclaimer below must
++ * also be included.
++ *
++ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
++ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
++ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
++ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
++ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
++ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
++ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
++ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
++ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
++ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGES.
++ */
++
++#ifndef SVCGSSD_KRB5_H
++#define SVCGSSD_KRB5_H
++
++int svcgssd_limit_krb5_enctypes(void);
++
++#endif /* SVCGSSD_KRB5_H */
+--- nfs-utils-1.2.2.orig/utils/gssd/gss_util.c
++++ nfs-utils-1.2.2/utils/gssd/gss_util.c
+@@ -199,20 +199,25 @@ gssd_acquire_cred(char *server_name)
+ 	u_int32_t ignore_maj_stat, ignore_min_stat;
+ 	gss_buffer_desc pbuf;
+ 
+-	name.value = (void *)server_name;
+-	name.length = strlen(server_name);
++	/* If server_name is NULL, get cred for GSS_C_NO_NAME */
++	if (server_name == NULL) {
++		target_name = GSS_C_NO_NAME;
++	} else {
++		name.value = (void *)server_name;
++		name.length = strlen(server_name);
+ 
+-	maj_stat = gss_import_name(&min_stat, &name,
+-			(const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
+-			&target_name);
++		maj_stat = gss_import_name(&min_stat, &name,
++				(const gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
++				&target_name);
+ 
+-	if (maj_stat != GSS_S_COMPLETE) {
+-		pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid);
+-		return (FALSE);
++		if (maj_stat != GSS_S_COMPLETE) {
++			pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid);
++			return (FALSE);
++		}
+ 	}
+ 
+-	maj_stat = gss_acquire_cred(&min_stat, target_name, 0,
+-			GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
++	maj_stat = gss_acquire_cred(&min_stat, target_name, GSS_C_INDEFINITE,
++			GSS_C_NO_OID_SET, GSS_C_ACCEPT,
+ 			&gssd_creds, NULL, NULL);
+ 
+ 	if (maj_stat != GSS_S_COMPLETE) {
+--- nfs-utils-1.2.2.orig/utils/gssd/svcgssd.c
++++ nfs-utils-1.2.2/utils/gssd/svcgssd.c
+@@ -127,6 +127,12 @@ mydaemon(int nochdir, int noclose)
+ 				    "(%s)\n", errno, strerror(errno));
+ 			exit(1);
+ 		}
++	} else {
++		status = gssd_acquire_cred(NULL);
++		if (status == FALSE) {
++			printerr(0, "unable to obtain nameless credentials\n");
++			exit(1);
++		}
+ 	}
+ 
+ 	return;
diff -Nru nfs-utils-1.2.2/debian/patches/series nfs-utils-1.2.2/debian/patches/series
--- nfs-utils-1.2.2/debian/patches/series	2010-08-26 16:14:25.000000000 -0700
+++ nfs-utils-1.2.2/debian/patches/series	2011-08-01 01:30:53.000000000 -0700
@@ -7,3 +7,4 @@
 13-preserve-explicit-port-2049.patch
 14-allow-address-without-name.patch
 15-mountd-fix-path-comparison-for-v4-crossmnt.patch
+16-negotiate-des-only.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: nfs-common: compatibility between squeeze and sid broken
  - From: Sam Hartman <hartmans@debian.org>
- Re: nfs-common: compatibility between squeeze and sid broken
  - From: Philipp Kern <pkern@debian.org>
- Re: nfs-common: compatibility between squeeze and sid broken
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Bug#622363: transition: libnotify 0.7
Next by Date: Bug#636150: opu: package xorg-server/2:1.4.2-10.lenny4
Previous by thread: Processed: Re: Bug#622363: transition: libnotify 0.7
Next by thread: Re: nfs-common: compatibility between squeeze and sid broken
Index(es):
- Date
- Thread