krb5

05-07-2011, 03:14 PM

* Replace heimdal by the MIT Kerberos implementation, krb5
* Rebuilded [core] packages :
- librpcsecgss
- libtirpc
- nfs-utils
- openssh

Please signoff both.
Thanks

Stéphane

05-07-2011, 03:31 PM

On 05/07/2011 06:14 PM, StÃ©phane Gaudreault wrote:

* Replace heimdal by the MIT Kerberos implementation, krb5
* Rebuilded [core] packages :
- librpcsecgss
- libtirpc
- nfs-utils
- openssh

Please signoff both.
Thanks

StÃ©phane

it will be nice to run db-update and then db-move staging testing krb5

/home/stephane/staging/staging:
krb5-1.9.1-1-i686.pkg.tar.xz krb5-1.9.1-1-x86_64.pkg.tar.xz

--
IonuÈ›

05-07-2011, 09:15 PM

On Sat, May 7, 2011 at 11:14 AM, Stéphane Gaudreault
<stephane@archlinux.org> wrote:
> * Replace heimdal by the MIT Kerberos implementation, krb5
> * Rebuilded [core] packages :
> *- librpcsecgss
> *- libtirpc
> *- nfs-utils
> *- openssh
>
> Please signoff both.
> Thanks
>
> Stéphane

I see a regression versus heimdal here. Do this:

1. Set up krb5.conf to enable proxiable and forwardable tickets
2. Set up ~/.ssh/config to enable "GSSAPIAuthentication" and
"GSSAPIDelegateCredentials"
3. Use "kinit" from this krb5 package to get a new TGT
4. Use the ssh client from this openssh rebuild to connect to a server
that support GSSAPI auth

On some, but not all, ssh server implementations, GSSAPI auth will
fail, and it will fall back to password auth. The server will log
this:

sshd[3822]: Forcing password authentication because no credentials delegated

When using the heimdal-based builds, GSSAPI auth would work in all cases.

It's entirely likely that only very old ssh servers show this problem,
as that's what I'm seeing so far. Possibly there is some confusion
with the new "Okay as delegate" ticket flag, which heimdal didn't
support at all, and MIT krb5 only supports enough to parse and report,
but has no support for setting.

I don't consider this important enough to block the release of these
packages, but I wanted to mention it in case someone else cares more
than me.

05-08-2011, 03:28 AM

On 08/05/11 01:14, Stéphane Gaudreault wrote:

* Replace heimdal by the MIT Kerberos implementation, krb5
* Rebuilded [core] packages :
- librpcsecgss
- libtirpc
- nfs-utils
- openssh

Please signoff both.
Thanks

openssh still works, as do other packages that I have updated for this
rebuild. I do not use any actual kerberos stuff though...

Signoff i686,
Allan

05-08-2011, 09:16 AM

Am 07.05.2011 17:14, schrieb Stéphane Gaudreault:
> * Replace heimdal by the MIT Kerberos implementation, krb5
> * Rebuilded [core] packages :
> - librpcsecgss
> - libtirpc
> - nfs-utils
> - openssh
>
> Please signoff both.
> Thanks
>
> Stéphane

I can't use firefox. I cannot restore my old session. Creating a new
session works, but as soon as I want to open a serious website, it
segfaults. I suspect it is due to this update series which I ran last night:

[2011-05-08 02:12] upgraded libmysqlclient (5.5.11-1 -> 5.5.12-1)
[2011-05-08 02:12] upgraded mysql-clients (5.5.11-1 -> 5.5.12-1)
[2011-05-08 02:12] upgraded mysql (5.5.11-1 -> 5.5.12-1)
[2011-05-08 02:12] upgraded akonadi (1.5.2-1 -> 1.5.3-1)
[2011-05-08 02:12] upgraded bind (9.8.0-1 -> 9.8.0.P1-1)
[2011-05-08 02:12] installed krb5 (1.9.1-1)
[2011-05-08 02:12] upgraded gnutls (2.12.3-1 -> 2.12.4-1)
[2011-05-08 02:12] upgraded libcups (1.4.6-1 -> 1.4.6-2)
[2011-05-08 02:12] upgraded gtk-update-icon-cache (2.24.4-1 -> 2.24.4-2)
[2011-05-08 02:12] upgraded gtk2 (2.24.4-1 -> 2.24.4-2)
[2011-05-08 02:13] upgraded chromium (11.0.696.57-1 -> 11.0.696.65-1)
[2011-05-08 02:13] upgraded cifs-utils (4.9-2 -> 4.9-3)
[2011-05-08 02:13] upgraded cups (1.4.6-1 -> 1.4.6-2)
[2011-05-08 02:13] upgraded cvs (1.11.23-6 -> 1.11.23-7)
[2011-05-08 02:13] upgraded dconf (0.7.3-2 -> 0.7.4-1)
[2011-05-08 02:13] upgraded dnsutils (9.8.0-1 -> 9.8.0.P1-1)
[2011-05-08 02:13] upgraded evolution-data-server (3.0.1-1 -> 3.0.1-2)
[2011-05-08 02:13] upgraded ffmpeg (20110330-1 -> 20110330-2)
[2011-05-08 02:13] upgraded ghostscript (9.02-1 -> 9.02-2)
[2011-05-08 02:13] upgraded gsasl (1.5.4-1 -> 1.5.4-2)
[2011-05-08 02:13] upgraded gtk3 (3.0.9-1 -> 3.0.9-2)
[2011-05-08 02:13] >>please run /usr/sbin/cups-genppdupdate
[2011-05-08 02:13] >>and restart cups deamon
[2011-05-08 02:13] upgraded gutenprint (5.2.7-1 -> 5.2.7-2)
[2011-05-08 02:13] upgraded kdelibs (4.6.3-1 -> 4.6.3-2)
[2011-05-08 02:13] upgraded librpcsecgss (0.19-4 -> 0.19-5)
[2011-05-08 02:13] upgraded libsamplerate (0.1.7-1 -> 0.1.7-2)
[2011-05-08 02:13] upgraded libtirpc (0.2.1-2 -> 0.2.1-3)
[2011-05-08 02:13] upgraded libwpd (0.9.1-1 -> 0.9.2-1)
[2011-05-08 02:13] upgraded neon (0.29.3-2 -> 0.29.3-3)
[2011-05-08 02:13] upgraded nfs-utils (1.2.2-6 -> 1.2.3-1)
[2011-05-08 02:13] upgraded openssh (5.8p2-3 -> 5.8p2-4)
[2011-05-08 02:13] upgraded phonon-gstreamer (4.5.0-1 -> 4.5.1-1)
[2011-05-08 02:13] upgraded qscintilla (2.5.1-1 -> 2.5.1-2)
[2011-05-08 02:13] upgraded smbclient (3.5.8-2 -> 3.5.8-3)
[2011-05-08 02:13] upgraded samba (3.5.8-2 -> 3.5.8-3)
[2011-05-08 02:13] upgraded subversion (1.6.15-1 -> 1.6.15-2)
[2011-05-08 02:13] upgraded wget (1.12-5 -> 1.12-7)
[2011-05-08 02:13] upgraded wireshark-cli (1.4.6-1 -> 1.4.6-2)
[2011-05-08 02:13] upgraded wireshark-gtk (1.4.6-1 -> 1.4.6-2)

gtk2 got updated, which seems the only one related to firefox.

05-08-2011, 09:43 AM

Am 08.05.2011 11:16, schrieb Thomas Bächler:
> Am 07.05.2011 17:14, schrieb Stéphane Gaudreault:
>> * Replace heimdal by the MIT Kerberos implementation, krb5
>> * Rebuilded [core] packages :
>> - librpcsecgss
>> - libtirpc
>> - nfs-utils
>> - openssh
>>
>> Please signoff both.
>> Thanks
>>
>> Stéphane
>
> I can't use firefox. I cannot restore my old session. Creating a new
> session works, but as soon as I want to open a serious website, it
> segfaults. I suspect it is due to this update series which I ran last night:
>
> [...]
> [2011-05-08 02:13] upgraded dconf (0.7.3-2 -> 0.7.4-1)

This was actually the dconf update, which is not krb5 related.

05-08-2011, 10:07 AM

On Saturday 07 May 2011 11:14:27 Stéphane Gaudreault wrote:
> * Replace heimdal by the MIT Kerberos implementation, krb5
> * Rebuilded [core] packages :
> - librpcsecgss
> - libtirpc
> - nfs-utils
> - openssh
no signoff.

nfs-utils is broken:
# /etc/rc.d/nfs-server start
:: Mounting nfsd filesystem
[DONE]
:: Exporting all directories
[DONE]
:: Starting rpc.nfsd daemon
[DONE]
:: Starting rpc.mountd daemon
[BUSY] /usr/sbin/rpc.mountd: bad version number: 1
Usage: /usr/sbin/rpc.mountd [-F|--foreground] [-h|--help] [-v|--version] [-d
kind|--debug kind]
[-o num|--descriptors num] [-f exports-file|--exports-file=file]
[-p|--port port] [-V version|--nfs-version version]
[-N version|--no-nfs-version version] [-n|--no-tcp]
[-H ha-callout-prog] [-s|--state-directory-path path]
[-g|--manage-gids] [-t num|--num-threads=num]
[FAIL]
--
Andrea

05-08-2011, 10:11 AM

On Sunday 08 May 2011 12:07:18 Andrea Scarpino wrote:
> no signoff.
>
> nfs-utils is broken:
> # /etc/rc.d/nfs-server start
>
> :: Mounting nfsd filesystem
>
> [DONE]
>
> :: Exporting all directories
>
> [DONE]
>
> :: Starting rpc.nfsd daemon
>
> [DONE]
>
> :: Starting rpc.mountd daemon
>
> [BUSY] /usr/sbin/rpc.mountd: bad version number: 1
> Usage: /usr/sbin/rpc.mountd [-F|--foreground] [-h|--help] [-v|--version] [-d
> kind|--debug kind]
> [-o num|--descriptors num] [-f exports-file|--exports-file=file]
> [-p|--port port] [-V version|--nfs-version version]
> [-N version|--no-nfs-version version] [-n|--no-tcp]
> [-H ha-callout-prog] [-s|--state-directory-path path]
> [-g|--manage-gids] [-t num|--num-threads=num]
>
>
> [FAIL]
Changing line 21 in /etc/conf.d/nfs-server.conf with:
MOUNTD_OPTS="--no-nfs-version 2"
fixed it.

--
Andrea

05-08-2011, 01:48 PM

Le 8 mai 2011 06:11:06, Andrea Scarpino a écrit :
> On Sunday 08 May 2011 12:07:18 Andrea Scarpino wrote:
> > no signoff.
> >
> > nfs-utils is broken:
> > # /etc/rc.d/nfs-server start
> >
> > :: Mounting nfsd filesystem
> >
> > [DONE]
> >
> > :: Exporting all directories
> >
> > [DONE]
> >
> > :: Starting rpc.nfsd daemon
> >
> > [DONE]
> >
> > :: Starting rpc.mountd daemon
> >
> > [BUSY] /usr/sbin/rpc.mountd: bad version number: 1
> > Usage: /usr/sbin/rpc.mountd [-F|--foreground] [-h|--help] [-v|--version]
> > [-d kind|--debug kind]
> >
> > [-o num|--descriptors num] [-f exports-file|--exports-file=file]
> > [-p|--port port] [-V version|--nfs-version version]
> > [-N version|--no-nfs-version version] [-n|--no-tcp]
> > [-H ha-callout-prog] [-s|--state-directory-path path]
> > [-g|--manage-gids] [-t num|--num-threads=num]
> >
> > [FAIL]
>
> Changing line 21 in /etc/conf.d/nfs-server.conf with:
> MOUNTD_OPTS="--no-nfs-version 2"
> fixed it.

Fixed.

05-10-2011, 06:15 PM

Le 7 mai 2011 23:28:31, Allan McRae a écrit :
> On 08/05/11 01:14, Stéphane Gaudreault wrote:
> > * Replace heimdal by the MIT Kerberos implementation, krb5
> >
> > * Rebuilded [core] packages :
> > - librpcsecgss
> > - libtirpc
> > - nfs-utils
> > - openssh
> >
> > Please signoff both.
> > Thanks
>
> openssh still works, as do other packages that I have updated for this
> rebuild. I do not use any actual kerberos stuff though...
>
> Signoff i686,
> Allan

Anyone else for x86_64 ?