reassign 622146 nfs-kernel-server,src:krb5 found 622146 nfs-kernel-server/1:1.2.2-4 found 622146 src:krb5/1.8.3+dfsg-4 fixed 622146 nfs-kernel-server/1:1.2.4-1 fixed 622146 src:krb5/1.9.1+dfsg-1 tags 622146 patch thanks
On Tue, Jul 19, 2011 at 05:42:34PM -0400, Sam Hartman wrote: > I don't have checkouts handy, but my strong suspicion is that if someone > is now passing in GSS_C_NT_HOSTBASED_SERVICE into gssd_acquire_cred and > there isn't an argument slot, you can leave it off. > gss_c_nt_hostbased_service has always been the default for gssd. Ok, thanks. I've built packages of nfs-utils and krb5 using the referenced backported patches, and can confirm that I'm now able to connect successfully from an nfs-utils 1.2.4 client without having to set permitted_enctypes on the server. I've attached the patches for both packages to this mail. Phil, is it ok for these to be uploaded to stable-proposed-updates? This fixes a bug that makes squeeze kerberized NFS servers unusable with newer clients (e.g., wheezy). Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
diff -u krb5-1.8.3+dfsg/debian/changelog krb5-1.8.3+dfsg/debian/changelog
--- krb5-1.8.3+dfsg/debian/changelog
+++ krb5-1.8.3+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+krb5 (1.8.3+dfsg-4squeeze2) stable-proposed-updates; urgency=low
+
+ * Non-maintainer upload.
+ * Pull R24603 in MIT upstream subversion to fix support for NFS servers
+ on kernels that only support DES. Closes: #622146.
+
+ -- Steve Langasek <vor...@debian.org> Fri, 22 Jul 2011 05:07:02 -0700
+
krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low
* Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
only in patch2:
unchanged:
--- krb5-1.8.3+dfsg.orig/src/lib/gssapi/krb5/accept_sec_context.c
+++ krb5-1.8.3+dfsg/src/lib/gssapi/krb5/accept_sec_context.c
@@ -583,6 +583,15 @@
goto fail;
}
+ /* Limit the encryption types negotiated (if requested). */
+ if (cred->req_enctypes) {
+ if ((code = krb5_set_default_tgs_enctypes(context,
+ cred->req_enctypes))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+ }
+
if ((code = krb5_rd_req(context, &auth_context, &ap_req,
cred->default_identity ? NULL : cred->name->princ,
cred->keytab,
diff -Nru nfs-utils-1.2.2/debian/changelog nfs-utils-1.2.2/debian/changelog --- nfs-utils-1.2.2/debian/changelog 2010-08-26 16:11:45.000000000 -0700 +++ nfs-utils-1.2.2/debian/changelog 2011-08-01 01:28:03.000000000 -0700 @@ -1,3 +1,11 @@ +nfs-utils (1:1.2.2-4squeeze1) stable-proposed-updates; urgency=low + + * Non-maintainer upload. + * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream + for bug #622146. + + -- Steve Langasek <steve.langa...@ubuntu.com> Tue, 19 Jul 2011 20:54:17 +0000 + nfs-utils (1:1.2.2-4) unstable; urgency=low * mountd: fix path comparison for v4 crossmnt (Closes: #578317) diff -Nru nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch --- nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch 1969-12-31 16:00:00.000000000 -0800 +++ nfs-utils-1.2.2/debian/patches/16-negotiate-des-only.patch 2011-08-01 01:33:21.000000000 -0700 @@ -0,0 +1,413 @@ +Description: Upstream changes introduced in version 1:1.2.2-4.1 + This patch has been created by dpkg-source during the package build. + Here's the last changelog entry, hopefully it gives details on why + those changes were made: + . + nfs-utils (1:1.2.2-4.1) UNRELEASED; urgency=low + . + * Non-maintainer upload. + * Build with patch d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 from upstream + for bug #622146. + . + The person named in the Author field signed this changelog entry. +Author: Steve Langasek <steve.langa...@ubuntu.com> + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: http://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: <YYYY-MM-DD> + +--- /dev/null ++++ nfs-utils-1.2.2/utils/gssd/svcgssd_krb5.c +@@ -0,0 +1,200 @@ ++/* ++ * COPYRIGHT (c) 2011 ++ * The Regents of the University of Michigan ++ * ALL RIGHTS RESERVED ++ * ++ * Permission is granted to use, copy, create derivative works ++ * and redistribute this software and such derivative works ++ * for any purpose, so long as the name of The University of ++ * Michigan is not used in any advertising or publicity ++ * pertaining to the use of distribution of this software ++ * without specific, written prior authorization. If the ++ * above copyright notice or any other identification of the ++ * University of Michigan is included in any copy of any ++ * portion of this software, then the disclaimer below must ++ * also be included. ++ * ++ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION ++ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY ++ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF ++ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ++ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ++ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE ++ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR ++ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING ++ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN ++ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGES. ++ */ ++ ++#ifdef HAVE_CONFIG_H ++#include <config.h> ++#endif /* HAVE_CONFIG_H */ ++ ++#ifndef _GNU_SOURCE ++#define _GNU_SOURCE ++#endif ++ ++#include <stdio.h> ++#include <errno.h> ++#include <gssapi/gssapi.h> ++#include <krb5.h> ++ ++#include "gss_util.h" ++#include "gss_oids.h" ++#include "err_util.h" ++#include "svcgssd_krb5.h" ++ ++#define MYBUFLEN 1024 ++ ++char *supported_enctypes_filename = "/proc/fs/nfsd/supported_krb5_enctypes"; ++int parsed_num_enctypes = 0; ++krb5_enctype *parsed_enctypes = NULL; ++char *cached_enctypes = NULL; ++ ++/*==========================*/ ++/*=== Internal routines ===*/ ++/*==========================*/ ++ ++/* ++ * Parse the supported encryption type information ++ */ ++static int ++parse_enctypes(char *enctypes) ++{ ++ int n = 0; ++ char *curr, *comma; ++ int i; ++ ++ /* Don't parse the same string over and over... */ ++ if (cached_enctypes && strcmp(cached_enctypes, enctypes) == 0) ++ return 0; ++ ++ /* Free any existing cached_enctypes */ ++ free(cached_enctypes); ++ ++ if (parsed_enctypes != NULL) { ++ free(parsed_enctypes); ++ parsed_enctypes = NULL; ++ parsed_num_enctypes = 0; ++ } ++ ++ /* count the number of commas */ ++ for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) { ++ comma = strchr(curr, ','); ++ if (comma != NULL) ++ n++; ++ else ++ break; ++ } ++ ++ /* If no more commas and we're not at the end, there's one more value */ ++ if (*curr != '\0') ++ n++; ++ ++ /* Empty string, return an error */ ++ if (n == 0) ++ return ENOENT; ++ ++ /* Allocate space for enctypes array */ ++ if ((parsed_enctypes = (int *) calloc(n, sizeof(int))) == NULL) { ++ return ENOMEM; ++ } ++ ++ /* Now parse each value into the array */ ++ for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) { ++ parsed_enctypes[i++] = atoi(curr); ++ comma = strchr(curr, ','); ++ if (comma == NULL) ++ break; ++ } ++ ++ parsed_num_enctypes = n; ++ if ((cached_enctypes = malloc(strlen(enctypes)+1))) ++ strcpy(cached_enctypes, enctypes); ++ ++ return 0; ++} ++ ++static void ++get_kernel_supported_enctypes(void) ++{ ++ FILE *s_e; ++ int ret; ++ char buffer[MYBUFLEN + 1]; ++ ++ memset(buffer, '\0', sizeof(buffer)); ++ ++ s_e = fopen(supported_enctypes_filename, "r"); ++ if (s_e == NULL) ++ goto out_clean_parsed; ++ ++ ret = fread(buffer, 1, MYBUFLEN, s_e); ++ if (ret < 0) { ++ fclose(s_e); ++ goto out_clean_parsed; ++ } ++ fclose(s_e); ++ if (parse_enctypes(buffer)) { ++ goto out_clean_parsed; ++ } ++out: ++ return; ++ ++out_clean_parsed: ++ if (parsed_enctypes != NULL) { ++ free(parsed_enctypes); ++ parsed_num_enctypes = 0; ++ } ++ goto out; ++} ++ ++/*==========================*/ ++/*=== External routines ===*/ ++/*==========================*/ ++ ++/* ++ * Get encryption types supported by the kernel, and then ++ * call gss_krb5_set_allowable_enctypes() to limit the ++ * encryption types negotiated. ++ * ++ * Returns: ++ * 0 => all went well ++ * -1 => there was an error ++ */ ++ ++int ++svcgssd_limit_krb5_enctypes(void) ++{ ++#ifdef HAVE_SET_ALLOWABLE_ENCTYPES ++ u_int maj_stat, min_stat; ++ krb5_enctype default_enctypes[] = { ENCTYPE_DES_CBC_CRC, ++ ENCTYPE_DES_CBC_MD5, ++ ENCTYPE_DES_CBC_MD4 }; ++ int default_num_enctypes = ++ sizeof(default_enctypes) / sizeof(default_enctypes[0]); ++ krb5_enctype *enctypes; ++ int num_enctypes; ++ ++ get_kernel_supported_enctypes(); ++ ++ if (parsed_enctypes != NULL) { ++ enctypes = parsed_enctypes; ++ num_enctypes = parsed_num_enctypes; ++ } else { ++ enctypes = default_enctypes; ++ num_enctypes = default_num_enctypes; ++ } ++ ++ maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds, ++ &krb5oid, num_enctypes, enctypes); ++ if (maj_stat != GSS_S_COMPLETE) { ++ printerr(1, "WARNING: gss_set_allowable_enctypes failed\n"); ++ pgsserr("svcgssd_limit_krb5_enctypes: gss_set_allowable_enctypes", ++ maj_stat, min_stat, &krb5oid); ++ return -1; ++ } ++#endif ++ return 0; ++} +--- nfs-utils-1.2.2.orig/utils/gssd/Makefile.in ++++ nfs-utils-1.2.2/utils/gssd/Makefile.in +@@ -93,7 +93,7 @@ am__objects_2 = svcgssd-context.$(OBJEXT + am_svcgssd_OBJECTS = $(am__objects_2) svcgssd-svcgssd.$(OBJEXT) \ + svcgssd-svcgssd_main_loop.$(OBJEXT) \ + svcgssd-svcgssd_mech2file.$(OBJEXT) \ +- svcgssd-svcgssd_proc.$(OBJEXT) ++ svcgssd-svcgssd_proc.$(OBJEXT) svcgssd-svcgssd_krb5.$(OBJEXT) + svcgssd_OBJECTS = $(am_svcgssd_OBJECTS) + svcgssd_DEPENDENCIES = ../../support/nfs/libnfs.a \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@@ -228,6 +228,7 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ + PACKAGE_NAME = @PACKAGE_NAME@ + PACKAGE_STRING = @PACKAGE_STRING@ + PACKAGE_TARNAME = @PACKAGE_TARNAME@ ++PACKAGE_URL = @PACKAGE_URL@ + PACKAGE_VERSION = @PACKAGE_VERSION@ + PATH_SEPARATOR = @PATH_SEPARATOR@ + PKG_CONFIG = @PKG_CONFIG@ +@@ -354,7 +355,9 @@ svcgssd_SOURCES = \ + svcgssd_main_loop.c \ + svcgssd_mech2file.c \ + svcgssd_proc.c \ ++ svcgssd_krb5.c \ + \ ++ svcgssd_krb5.h \ + svcgssd.h + + svcgssd_LDADD = \ +@@ -520,6 +523,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-gss_oids.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-gss_util.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_krb5.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_main_loop.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_mech2file.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/svcgssd-svcgssd_proc.Po@am__quote@ +@@ -895,6 +899,20 @@ svcgssd-svcgssd_proc.obj: svcgssd_proc.c + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_proc.obj `if test -f 'svcgssd_proc.c'; then $(CYGPATH_W) 'svcgssd_proc.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_proc.c'; fi` + ++svcgssd-svcgssd_krb5.o: svcgssd_krb5.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -MT svcgssd-svcgssd_krb5.o -MD -MP -MF $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo -c -o svcgssd-svcgssd_krb5.o `test -f 'svcgssd_krb5.c' || echo '$(srcdir)/'`svcgssd_krb5.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo $(DEPDIR)/svcgssd-svcgssd_krb5.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='svcgssd_krb5.c' object='svcgssd-svcgssd_krb5.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_krb5.o `test -f 'svcgssd_krb5.c' || echo '$(srcdir)/'`svcgssd_krb5.c ++ ++svcgssd-svcgssd_krb5.obj: svcgssd_krb5.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -MT svcgssd-svcgssd_krb5.obj -MD -MP -MF $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo -c -o svcgssd-svcgssd_krb5.obj `if test -f 'svcgssd_krb5.c'; then $(CYGPATH_W) 'svcgssd_krb5.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_krb5.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/svcgssd-svcgssd_krb5.Tpo $(DEPDIR)/svcgssd-svcgssd_krb5.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='svcgssd_krb5.c' object='svcgssd-svcgssd_krb5.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(svcgssd_CFLAGS) $(CFLAGS) -c -o svcgssd-svcgssd_krb5.obj `if test -f 'svcgssd_krb5.c'; then $(CYGPATH_W) 'svcgssd_krb5.c'; else $(CYGPATH_W) '$(srcdir)/svcgssd_krb5.c'; fi` ++ + mostlyclean-libtool: + -rm -f *.lo + +--- nfs-utils-1.2.2.orig/utils/gssd/Makefile.am ++++ nfs-utils-1.2.2/utils/gssd/Makefile.am +@@ -51,7 +51,9 @@ svcgssd_SOURCES = \ + svcgssd_main_loop.c \ + svcgssd_mech2file.c \ + svcgssd_proc.c \ ++ svcgssd_krb5.c \ + \ ++ svcgssd_krb5.h \ + svcgssd.h + + svcgssd_LDADD = \ +--- nfs-utils-1.2.2.orig/utils/gssd/svcgssd_proc.c ++++ nfs-utils-1.2.2/utils/gssd/svcgssd_proc.c +@@ -57,6 +57,7 @@ + #include "err_util.h" + #include "context.h" + #include "gss_oids.h" ++#include "svcgssd_krb5.h" + + extern char * mech2file(gss_OID mech); + #define SVCGSSD_CONTEXT_CHANNEL "/proc/net/rpc/auth.rpcsec.context/channel" +@@ -449,6 +450,10 @@ handle_nullreq(FILE *f) { + memcpy(&ctx, in_handle.value, in_handle.length); + } + ++ if (svcgssd_limit_krb5_enctypes()) { ++ goto out_err; ++ } ++ + maj_stat = gss_accept_sec_context(&min_stat, &ctx, gssd_creds, + &in_tok, GSS_C_NO_CHANNEL_BINDINGS, &client_name, + &mech, &out_tok, &ret_flags, NULL, NULL); +--- /dev/null ++++ nfs-utils-1.2.2/utils/gssd/svcgssd_krb5.h +@@ -0,0 +1,36 @@ ++/* ++ * COPYRIGHT (c) 2011 ++ * The Regents of the University of Michigan ++ * ALL RIGHTS RESERVED ++ * ++ * Permission is granted to use, copy, create derivative works ++ * and redistribute this software and such derivative works ++ * for any purpose, so long as the name of The University of ++ * Michigan is not used in any advertising or publicity ++ * pertaining to the use of distribution of this software ++ * without specific, written prior authorization. If the ++ * above copyright notice or any other identification of the ++ * University of Michigan is included in any copy of any ++ * portion of this software, then the disclaimer below must ++ * also be included. ++ * ++ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION ++ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY ++ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF ++ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ++ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ++ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE ++ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR ++ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING ++ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN ++ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGES. ++ */ ++ ++#ifndef SVCGSSD_KRB5_H ++#define SVCGSSD_KRB5_H ++ ++int svcgssd_limit_krb5_enctypes(void); ++ ++#endif /* SVCGSSD_KRB5_H */ +--- nfs-utils-1.2.2.orig/utils/gssd/gss_util.c ++++ nfs-utils-1.2.2/utils/gssd/gss_util.c +@@ -199,20 +199,25 @@ gssd_acquire_cred(char *server_name) + u_int32_t ignore_maj_stat, ignore_min_stat; + gss_buffer_desc pbuf; + +- name.value = (void *)server_name; +- name.length = strlen(server_name); ++ /* If server_name is NULL, get cred for GSS_C_NO_NAME */ ++ if (server_name == NULL) { ++ target_name = GSS_C_NO_NAME; ++ } else { ++ name.value = (void *)server_name; ++ name.length = strlen(server_name); + +- maj_stat = gss_import_name(&min_stat, &name, +- (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE, +- &target_name); ++ maj_stat = gss_import_name(&min_stat, &name, ++ (const gss_OID) GSS_C_NT_HOSTBASED_SERVICE, ++ &target_name); + +- if (maj_stat != GSS_S_COMPLETE) { +- pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid); +- return (FALSE); ++ if (maj_stat != GSS_S_COMPLETE) { ++ pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid); ++ return (FALSE); ++ } + } + +- maj_stat = gss_acquire_cred(&min_stat, target_name, 0, +- GSS_C_NULL_OID_SET, GSS_C_ACCEPT, ++ maj_stat = gss_acquire_cred(&min_stat, target_name, GSS_C_INDEFINITE, ++ GSS_C_NO_OID_SET, GSS_C_ACCEPT, + &gssd_creds, NULL, NULL); + + if (maj_stat != GSS_S_COMPLETE) { +--- nfs-utils-1.2.2.orig/utils/gssd/svcgssd.c ++++ nfs-utils-1.2.2/utils/gssd/svcgssd.c +@@ -127,6 +127,12 @@ mydaemon(int nochdir, int noclose) + "(%s)\n", errno, strerror(errno)); + exit(1); + } ++ } else { ++ status = gssd_acquire_cred(NULL); ++ if (status == FALSE) { ++ printerr(0, "unable to obtain nameless credentials\n"); ++ exit(1); ++ } + } + + return; diff -Nru nfs-utils-1.2.2/debian/patches/series nfs-utils-1.2.2/debian/patches/series --- nfs-utils-1.2.2/debian/patches/series 2010-08-26 16:14:25.000000000 -0700 +++ nfs-utils-1.2.2/debian/patches/series 2011-08-01 01:30:53.000000000 -0700 @@ -7,3 +7,4 @@ 13-preserve-explicit-port-2049.patch 14-allow-address-without-name.patch 15-mountd-fix-path-comparison-for-v4-crossmnt.patch +16-negotiate-des-only.patch
signature.asc
Description: Digital signature
