Re: nfs-common: compatibility between squeeze and sid broken
>>>>> "Philipp" == Philipp Kern <pkern@debian.org> writes:
Philipp> On Mon, Aug 01, 2011 at 01:34:34AM -0700, Steve Langasek wrote:
>> On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote:
> > I don't have checkouts handy, but my strong suspicion is that if
>> someone > is now passing in GSS_C_NT_HOSTBASED_SERVICE into
>> gssd_acquire_cred and > there isn't an argument slot, you can
>> leave it off. > gss_c_nt_hostbased_service has always been the
>> default for gssd.
>>
>> Ok, thanks. I've built packages of nfs-utils and krb5 using the
>> referenced backported patches, and can confirm that I'm now able
>> to connect successfully from an nfs-utils 1.2.4 client without
>> having to set permitted_enctypes on the server.
Philipp> Why is the nfs-utils patch needed again? To be able to run
Philipp> nfs-utils in squeeze with a newer kernel?
No. The issue is that sid clients will ask a squeeze server to do
something the squeeze kernel can't handle. However, rather than asking
the kernel you ask the nfs-utils userspace. The squeeze krb5 can handle
the new encryption type and so it negotiates something, tries to stuff
it into the kernel, and doesn't even know how to do that.
The krb5 patch revises an existing API which allows userspace to tell
krb5 about the kernel capabilities to apply to the server as well as the
client.
the nfs-utils patch tells the server userspace code to call that
existing API which is only called on the client in squeeze.
The failure mode is that without both patches, squeeze servers fail to
work with sid clients running sid kernels.
--Sam
Reply to: