[Bug 930430] Re: lxc-ls requires root access after deploying an LXC instance
Hi Jamie, I started seeing this with juju 0.5.1+bzr563-0juju2~precise1, to which I recently upgraded. With 0.5+bzr531-0ubuntu1.2 (also in precise) it works. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/930430 Title: lxc-ls requires root access after deploying an LXC instance To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/juju/+bug/930430/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1673411] Re: config-drive support is broken
Verified on yakkety with a yakkety lxd container and the provided
instructions:
*** 0.7.9-90-g61eb03fe-0ubuntu1~16.10.1 500
500 http://archive.ubuntu.com/ubuntu yakkety-proposed/main amd64
Packages
Created a config-drive and verified the result.json file:
$ lxc file pull $name/run/cloud-init/result.json -
{
"v1": {
"datasource": "DataSourceConfigDrive [net,ver=2][source=/config-drive]",
"errors": []
}
}
/config-drive was there:
root@foohost:~# find /config-drive/ -type f
/config-drive/openstack/latest/meta_data.json
/config-drive/openstack/latest/network_data.json
/config-drive/openstack/latest/vendor_data.json
/config-drive/openstack/latest/user_data
/config-drive/openstack/2015-10-15/network_data.json
/config-drive/openstack/2015-10-15/user_data
/config-drive/openstack/2015-10-15/vendor_data.json
/config-drive/openstack/2015-10-15/meta_data.json
To be sure my config-drive was being read, in another attempt I injected a
failure into it by setting a link of an unknown type:
$ lxc file pull $name/run/cloud-init/result.json -
{
"v1": {
"datasource": null,
"errors": [
"Unknown network_data link type: dvs-andreas-was-here",
"Unknown network_data link type: dvs-andreas-was-here",
"('ssh-authkey-fingerprints', KeyError('getpwnam(): name not found:
ubuntu',))"
]
}
}
As a side note, that prevented the ubuntu user from being created (and
probably other things which do not concern us here).
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1673411
Title:
config-drive support is broken
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1673411/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1673411] Re: config-drive support is broken
Verified on xenial with a xenial lxd container and the provided
instructions:
Version table:
*** 0.7.9-90-g61eb03fe-0ubuntu1~16.04.1 500
500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
$ lxc exec x1-fixed cat /run/cloud-init/result.json
{
"v1": {
"datasource": "DataSourceConfigDrive [net,ver=2][source=/config-drive]",
"errors": []
}
}
Inside the container:
root@foohost:~# find /config-drive/ -type f
/config-drive/openstack/latest/network_data.json
/config-drive/openstack/latest/vendor_data.json
/config-drive/openstack/latest/user_data
/config-drive/openstack/latest/meta_data.json
/config-drive/openstack/2015-10-15/meta_data.json
/config-drive/openstack/2015-10-15/network_data.json
/config-drive/openstack/2015-10-15/vendor_data.json
/config-drive/openstack/2015-10-15/user_data
And again, to make sure my config-drive was being read, I injected a failure:
$ lxc exec x1-fixed cat /run/cloud-init/result.json
{
"v1": {
"datasource": null,
"errors": [
"Unknown network_data link type: dvs-andreas-was-here-again",
"Unknown network_data link type: dvs-andreas-was-here-again",
"('ssh-authkey-fingerprints', KeyError('getpwnam(): name not found:
ubuntu',))"
]
}
}
All good.
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1673411
Title:
config-drive support is broken
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1673411/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1673411] Re: config-drive support is broken
** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1673411 Title: config-drive support is broken To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1673411/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1674946] Re: cloud-init fails with "Unknown network_data link type: dvs"
Also verified it with xenial and a config-drive that had "type": "dvs"
in openstack/latest/network_data.json using the proposed package:
root@x1-fixed:~# apt-cache policy cloud-init
cloud-init:
Installed: 0.7.9-90-g61eb03fe-0ubuntu1~16.04.1
Candidate: 0.7.9-90-g61eb03fe-0ubuntu1~16.04.1
Version table:
*** 0.7.9-90-g61eb03fe-0ubuntu1~16.04.1 500
500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
$ lxc file pull x1-fixed/run/cloud-init/result.json
{
"v1": {
"datasource": "DataSourceNoCloud
[seed=/var/lib/cloud/seed/nocloud-net][dsmode=net]",
"errors": []
}
}
To make sure my config-drive was being used, I injected a failure by setting an
unknown link type of "dvs-andreas-was-here-again":
$ lxc file pull x1-fixed/run/cloud-init/result.json -
{
"v1": {
"datasource": null,
"errors": [
"Unknown network_data link type: dvs-andreas-was-here-again",
"Unknown network_data link type: dvs-andreas-was-here-again"
]
}
}
and
$ lxc exec x1-fixed -- grep dvs-andreas-was-here-again /var/log/cloud-init.log
ValueError: Unknown network_data link type: dvs-andreas-was-here-again
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1674946
Title:
cloud-init fails with "Unknown network_data link type: dvs"
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1674946/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1674946] Re: cloud-init fails with "Unknown network_data link type: dvs"
Using the package from yakkety-proposed in a yakkety LXD container:
$ lxc exec y1-proposed -- /bin/bash
root@y1-proposed:~# apt-cache policy cloud-init
cloud-init:
Installed: 0.7.9-90-g61eb03fe-0ubuntu1~16.10.1
Candidate: 0.7.9-90-g61eb03fe-0ubuntu1~16.10.1
Version table:
*** 0.7.9-90-g61eb03fe-0ubuntu1~16.10.1 500
500 http://archive.ubuntu.com/ubuntu yakkety-proposed/main amd64
Packages
/config-drive with a link of type "dvs":
$ lxc exec y1-proposed -- grep dvs
/config-drive/openstack/latest/network_data.json
"type": "dvs",
No errors:
$ lxc file pull y1-proposed/run/cloud-init/result.json -
{
"v1": {
"datasource": "DataSourceConfigDrive [net,ver=2][source=/config-drive]",
"errors": []
}
}
logs clean too:
$ lxc exec y1-proposed -- grep dvs /var/log/cloud-init.log
$
To make sure my config-drive was being used, I injected a failure by setting an
unknown link type of "dvs-andreas-was-here-again":
$ lxc file pull y1-proposed/run/cloud-init/result.json -
{
"v1": {
"datasource": null,
"errors": [
"Unknown network_data link type: dvs-andreas-was-here-again",
"Unknown network_data link type: dvs-andreas-was-here-again",
"('ssh-authkey-fingerprints', KeyError('getpwnam(): name not found:
ubuntu',))"
]
}
}
(the ssh authkey error is irrelevant for this case: the ubuntu user
isn't created because of the network_data link type error)
and
$ lxc exec y1-proposed -- grep dvs-andreas-was-here-again
/var/log/cloud-init.log
ValueError: Unknown network_data link type: dvs-andreas-was-here-again
ValueError: Unknown network_data link type: dvs-andreas-was-here-again
** Tags removed: verification-needed
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1674946
Title:
cloud-init fails with "Unknown network_data link type: dvs"
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1674946/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1570325] Re: RFE: chpasswd in cloud-init should support hashed passwords
Tests passed for xenial according to the instructions (see attached output). ** Attachment added: "lp-1570325-xenial.txt" https://bugs.launchpad.net/cloud-init/+bug/1570325/+attachment/4863558/+files/lp-1570325-xenial.txt -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1570325 Title: RFE: chpasswd in cloud-init should support hashed passwords To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1570325/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1570325] Re: RFE: chpasswd in cloud-init should support hashed passwords
Tests passed for yakkety according to the instructions (see attached output). ** Attachment added: "lp-1570325-yakkety.txt" https://bugs.launchpad.net/cloud-init/+bug/1570325/+attachment/4863559/+files/lp-1570325-yakkety.txt -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1570325 Title: RFE: chpasswd in cloud-init should support hashed passwords To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1570325/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1570325] Re: RFE: chpasswd in cloud-init should support hashed passwords
Also launched a yakkety lxd with the attached user-data file, and it correctly changed the user's password to the provided hash. lxc launch b03fe-yakkety-proposed y1-proposed "--config=user.user- data=$(cat cloud-init.yaml)" ** Attachment added: "cloud-init.yaml" https://bugs.launchpad.net/cloud-init/+bug/1570325/+attachment/4863573/+files/cloud-init.yaml -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1570325 Title: RFE: chpasswd in cloud-init should support hashed passwords To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1570325/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1570325] Re: RFE: chpasswd in cloud-init should support hashed passwords
Also launched a xenial lxd container with the same user-data file as in the previous comment and it correctly changed the "tom" user's password to the provided hash. lxc launch b03fe-xenial-proposed x1-proposed "--config=user.user- data=$(cat cloud-init.yaml)" ** Tags removed: verification-needed ** Tags added: verification-done-xenial verification-done-yakkety -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1570325 Title: RFE: chpasswd in cloud-init should support hashed passwords To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1570325/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677710] Re: ds-identify does not find maas datasource
** Description changed:
=== Begin SRU Template ===
[Impact]
On systems deployed with MAAS xenial and yakkety systems would put a
warning on the login screen stating that the datasource was not found.
-
[Test Case]
The full test case involves
* deploying through MAAS
* enabling -proposed (without -proposed should show failure)
* setting curtin config to show:
system_upgrade: {enabled: True}}
[Regression Potential]
- The changes did
+ The changes that were done
a.) renamed some variables to make code more readable
b.) make searching for config less restrictive
due to 'a', there could be unintended bugs, but testing for
other datasources would likely have turned that up.
[Other Info]
=== End SRU Template ===
- in ds-identify, the dscheck_MAAS calls check_config incorrectly, and as a
result
- does not enable the MAAS datasource.
+ In ds-identify, the dscheck_MAAS calls check_config incorrectly, and as
+ a result does not enable the MAAS datasource.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1677710
Title:
ds-identify does not find maas datasource
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1677710/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677710] Re: ds-identify does not find maas datasource
I'm having difficulties in reproducing the problematic case. I added this to /etc/maas/preseeds/curtin_userdata: (...) system_upgrade: enabled: True late_commands: (...) Deploying yakkety without -proposed, I don't see any error regarding not finding a datasource, either in the logs, or in the console. Much less at the login screen, which just displays a prompt as usual. Thinking it could have scrolled by too fast, I also deployed elsewhere where I had access to a serial console and could save all the output to a file, but also didn't see such an error there. The console always shows this at the end: (...) [ 87.015604] cloud-init[2751]: Cloud-init v. 0.7.9 running 'modules:final' at Mon, 17 Apr 2017 15:14:24 +. Up 74.50 seconds. [ 87.016119] cloud-init[2751]: Cloud-init v. 0.7.9 finished at Mon, 17 Apr 2017 15:14:36 +. Datasource DataSourceMAAS [http://10.96.0.10/MAAS/metadata/]. Up 86.09 seconds Ubuntu 16.10 albany ttyS1 albany login: Am I missing some condition to trigger the error? Could it be related to the MAAS version somehow? I tried with 2.1.5 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1677710 Title: ds-identify does not find maas datasource To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1677710/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677710] Re: ds-identify does not find maas datasource
It's hard to reproduce the same error condition, as this happened during
the development of a new feature (deploying ubuntu-core via MAAS). The
closest I could get to it after some help from Ryan Harper was to run
ds-identify on a normally deployed MAAS node with the current cloud-init
and the proposed one, and check the results in /run/cloud-
init/cloud.cfg.
Besides that, I also configured MAAS to enable the -proposed
pocket and the nodes deployed just fine, and with the new cloud-init
from proposed installed.
For Yakkety:
With the current cloud-init, where the problem appears:
*** 0.7.9-48-g1c795b9-0ubuntu1~16.10.1 500
500 http://br.archive.ubuntu.com/ubuntu yakkety-updates/main amd64
Packages
# remove generated files
root@15-89:/run/cloud-init# rm cloud.cfg ds-identify.log
# cloud-init configuration, set via dpkg-reconfigure cloud-init and unchecking
all items:
root@15-89:/run/cloud-init# cat /etc/cloud/cloud.cfg.d/90_dpkg.cfg
# to update this file, run dpkg-reconfigure cloud-init
datasource_list: [ ]
# maas datasource config file, written to by MAAS:
root@15-89:/run/cloud-init# cat /etc/cloud/cloud.cfg.d/90_dpkg_maas.cfg
# written by cloud-init debian package per preseed entries
# cloud-init/{maas-metadata-url,/maas-metadata-credentials}
datasource:
MAAS: {consumer_key: xCkt8HsCeFKXBgm5SD, metadata_url:
'http://10.0.5.5:5240/MAAS/metadata/',
token_key: 9pjmU6kjNAfdhe3xsJ, token_secret:
kARCFjDaswVYDRLTSCTg9rrvXMjB7cGb}
# let's call ds-identify:
root@15-89:/run/cloud-init# unset DS_MAIN
root@15-89:/run/cloud-init# /usr/lib/cloud-init/ds-identify
# and we have no MAAS in cloud.cfg (somehow it thinks ec2 could be a candidate):
root@15-89:/run/cloud-init# cat cloud.cfg
datasource_list: [ Ec2, None ]
datasource: {Ec2: {strict_id: "warn"}}
# the ds-identify log file has
root@15-89:/run/cloud-init# cat ds-identify.log
(...)
DSLIST=MAAS ConfigDrive NoCloud AltCloud Azure Bigstep CloudSigma CloudStack
DigitalOcean Ec2 OpenNebula OpenStack OVF SmartOS
(...)
is_container=false
ec2 platform is 'Unknown'.
check for 'Ec2' returned maybe
1 datasources returned maybe: Ec2
[up 10525.51s] returning 0
Now I install the package from proposed:
*** 0.7.9-90-g61eb03fe-0ubuntu1~16.10.1 500
500 http://br.archive.ubuntu.com/ubuntu yakkety-proposed/main amd64
Packages
And repeat the steps. This time I get:
root@15-89:/run/cloud-init# cat cloud.cfg
datasource_list: [ MAAS, None ]
And the ds-identify log has:
root@15-89:/run/cloud-init# cat ds-identify.log
(...)
DSLIST=MAAS ConfigDrive NoCloud AltCloud Azure Bigstep CloudSigma CloudStack
DigitalOcean Ec2 GCE OpenNebula OpenStack OVF SmartOS
(...)
is_container=false
check for 'MAAS' returned found
ec2 platform is 'Unknown'.
check for 'Ec2' returned maybe
Found single datasource: MAAS
[up 10721.60s] returning 0
** Tags removed: dsid
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1677710
Title:
ds-identify does not find maas datasource
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1677710/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677710] Re: ds-identify does not find maas datasource
For xenial:
With the current cloud-init, where the problem appears:
*** 0.7.9-48-g1c795b9-0ubuntu1~16.04.1 500
500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
# remove generated files
root@15-89:/run/cloud-init# rm cloud.cfg ds-identify.log
# cloud-init configuration, set via dpkg-reconfigure cloud-init and unchecking
all items:
root@15-89:/run/cloud-init# cat /etc/cloud/cloud.cfg.d/90_dpkg.cfg
# to update this file, run dpkg-reconfigure cloud-init
datasource_list: [ ]
# maas datasource config file, written to by MAAS:
root@15-89:/run/cloud-init# cat /etc/cloud/cloud.cfg.d/90_dpkg_maas.cfg
# written by cloud-init debian package per preseed entries
# cloud-init/{maas-metadata-url,/maas-metadata-credentials}
datasource:
MAAS: {consumer_key: L8SxaFb29L3rzc3Vw8, metadata_url:
'http://10.0.5.5:5240/MAAS/metadata/',
token_key: 92LGSD8NBTHbD7n7T8, token_secret:
FAbznaWcx72ryaK6SrErnqeK2z9LH2Dj}
# let's call ds-identify:
root@15-89:/run/cloud-init# unset DS_MAIN
root@15-89:/run/cloud-init# /usr/lib/cloud-init/ds-identify
# and we have no MAAS in cloud.cfg (somehow it thinks ec2 could be a candidate):
root@15-89:/run/cloud-init# cat cloud.cfg
di_report:
datasource_list: [ Ec2, None ]
datasource: {Ec2: {strict_id: "warn"}}
# the ds-identify log file has
root@15-89:/run/cloud-init# cat ds-identify.log
(...)
DSLIST=MAAS ConfigDrive NoCloud AltCloud Azure Bigstep CloudSigma CloudStack
DigitalOcean Ec2 OpenNebula OpenStack OVF SmartOS
(...)
is_container=false
ec2 platform is 'Unknown'.
check for 'Ec2' returned maybe
1 datasources returned maybe: Ec2
[up 273.31s] returning 0
Now I install the package from proposed:
*** 0.7.9-90-g61eb03fe-0ubuntu1~16.04.1 500
500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64
Packages
90_dpkg.cfg still has an empty list:
root@15-89:/run/cloud-init# cat /etc/cloud/cloud.cfg.d/90_dpkg.cfg
# to update this file, run dpkg-reconfigure cloud-init
datasource_list: [ ]
And repeat the steps. This time I get:
root@15-89:/run/cloud-init# cat cloud.cfg
di_report:
datasource_list: [ MAAS, None ]
And the ds-identify log has:
(...)
DSLIST=MAAS ConfigDrive NoCloud AltCloud Azure Bigstep CloudSigma CloudStack
DigitalOcean Ec2 GCE OpenNebula OpenStack OVF SmartOS
(...)
is_container=false
check for 'MAAS' returned found
ec2 platform is 'Unknown'.
check for 'Ec2' returned maybe
Found single datasource: MAAS
[up 401.41s] returning 0
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/1677710
Title:
ds-identify does not find maas datasource
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1677710/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1602813] Re: openvpn-auth-ldap causing segfault on network timeout
** Changed in: openvpn-auth-ldap (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: openvpn-auth-ldap (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1602813 Title: openvpn-auth-ldap causing segfault on network timeout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1602813/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1674946] Re: cloud-init fails with "Unknown network_data link type: dvs"
I'll try rebooting a xenial node that has the updated cloud-init package and see what happens. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1674946 Title: cloud-init fails with "Unknown network_data link type: dvs" To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1674946/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1674946] Re: cloud-init fails with "Unknown network_data link type: dvs"
@ashish-kumar-gupta can you please attach your /var/log/cloud-init*.log from this attempt? Also please the output of: sudo ls -lah /var/lib/cloud/instance/ /var/lib/cloud/data/ /run/cloud-init/ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1674946 Title: cloud-init fails with "Unknown network_data link type: dvs" To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1674946/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1674946] Re: cloud-init fails with "Unknown network_data link type: dvs"
** Tags removed: verification-done-xenial ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1674946 Title: cloud-init fails with "Unknown network_data link type: dvs" To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1674946/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1674946] Re: cloud-init fails with "Unknown network_data link type: dvs"
@ashish-kumar-gupta you seem to be hitting this bug: https://launchpad.net/bugs/1531880 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1674946 Title: cloud-init fails with "Unknown network_data link type: dvs" To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1674946/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1674946] Re: cloud-init fails with "Unknown network_data link type: dvs"
For the record, I did reboot a maas node that had the config-drive network configuration to use "dvs" and it didn't fail. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to cloud-init in Ubuntu. https://bugs.launchpad.net/bugs/1674946 Title: cloud-init fails with "Unknown network_data link type: dvs" To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1674946/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1602813] Re: openvpn-auth-ldap causing segfault on network timeout
** Bug watch added: Debian Bug tracker #680166 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680166 ** Also affects: openvpn-auth-ldap (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680166 Importance: Unknown Status: Unknown ** No longer affects: openvpn (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1602813 Title: openvpn-auth-ldap causing segfault on network timeout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1602813] Re: openvpn-auth-ldap causing segfault on network timeout
Removing the debian bug task, the linked bug is similar but it requires an additional fix on top the one provided here. ** No longer affects: openvpn-auth-ldap (Debian) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1602813 Title: openvpn-auth-ldap causing segfault on network timeout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1602813] Re: openvpn-auth-ldap causing segfault on network timeout
** Bug watch added: Debian Bug tracker #861107 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861107 ** Also affects: openvpn-auth-ldap (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861107 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1602813 Title: openvpn-auth-ldap causing segfault on network timeout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1602813] Re: openvpn-auth-ldap causing segfault on network timeout
debdiff for artful ** Patch added: "lp1602813.debdiff" https://bugs.launchpad.net/debian/+source/openvpn-auth-ldap/+bug/1602813/+attachment/4867421/+files/lp1602813.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1602813 Title: openvpn-auth-ldap causing segfault on network timeout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-ldap/+bug/1602813/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1188475] Re: ldap group doesn't work
User filed upstream bug at https://github.com/cyrusimap/cyrus- sasl/issues/427 ** Bug watch added: github.com/cyrusimap/cyrus-sasl/issues #427 https://github.com/cyrusimap/cyrus-sasl/issues/427 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1188475 Title: ldap group doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1188475/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1188475] Re: ldap group doesn't work
Can you share your saslauthd configuration, and portions of your DIT showing how the users and groups are organised? At first glance, it feels correct to be using the user's DN to check for group membership. I would certainly expect to be able to tell which groups I belong to without having to resort to some sort of third party or even administrator credentials. ** Changed in: cyrus-sasl2 (Ubuntu) Status: Triaged => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1188475 Title: ldap group doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1188475/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1669193] Re: feature request - json stats output
** Bug watch added: Debian Bug tracker #856905 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856905 ** Also affects: bind9 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856905 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1669193 Title: feature request - json stats output To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1669193/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1669193] Re: feature request - json stats output
I also updated the debian bug. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1669193 Title: feature request - json stats output To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1669193/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1669193] Re: feature request - json stats output
Simple debdiff to enable json support for the statistics.
To test, add this to /etc/bind/named.conf.local and restart bind:
statistics-channels {
inet * port
allow { 127.0.0.1; };
};
(replace 127.0.0.1 with "any" if you prefer)
Then access the endpoint: wget http://localhost:/json
http://localhost:/xml also still works.
** Patch added: "lp-1669193.debdiff"
https://bugs.launchpad.net/debian/+source/bind9/+bug/1669193/+attachment/4868361/+files/lp-1669193.debdiff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1669193
Title:
feature request - json stats output
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1669193/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 715765] Re: Can't change kerberos password
I tried with xenial (krb5 1.13.2+dfsg-5ubuntu2) and precise (krb5
1.10+dfsg~beta1-2ubuntu0.7) and kpasswd worked in both cases when having
the principal created with the preauth flag (it was hinted this could
have been the problem).
This is on precise (1.10):
kadmin.local: addprinc +requires_preauth ubuntu
WARNING: no policy specified for ubuntu@PRECISE; defaulting to no policy
Enter password for principal "ubuntu@PRECISE":
Re-enter password for principal "ubuntu@PRECISE":
Principal "ubuntu@PRECISE" created.
Client (also precise, 1.10):
ubuntu@precise-krb5-client:~$ kinit
Password for ubuntu@PRECISE:
ubuntu@precise-krb5-client:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@PRECISE
Valid startingExpires Service principal
01/05/2017 19:22 02/05/2017 05:22 krbtgt/PRECISE@PRECISE
renew until 02/05/2017 19:22
ubuntu@precise-krb5-client:~$ kpasswd
Password for ubuntu@PRECISE:
Enter new password:
Enter it again:
Password changed.
ubuntu@precise-krb5-client:~$ klist -f5
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu@PRECISE
Valid startingExpires Service principal
01/05/2017 19:22 02/05/2017 05:22 krbtgt/PRECISE@PRECISE
renew until 02/05/2017 19:22, Flags: FPRIA
Server log:
May 1 19:22:19 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16
23}) 10.0.100.232: NEEDED_PREAUTH: ubuntu@PRECISE for krbtgt/PRECISE@PRECISE,
Additional pre-authentication required
May 1 19:22:20 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16
23}) 10.0.100.232: ISSUE: authtime 1493666540, etypes {rep=18 tkt=18 ses=18},
ubuntu@PRECISE for krbtgt/PRECISE@PRECISE
May 1 19:22:25 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16
23}) 10.0.100.232: NEEDED_PREAUTH: ubuntu@PRECISE for kadmin/changepw@PRECISE,
Additional pre-authentication required
May 1 19:22:27 precise-krb5-server krb5kdc[5357]: AS_REQ (4 etypes {18 17 16
23}) 10.0.100.232: ISSUE: authtime 1493666547, etypes {rep=18 tkt=18 ses=18},
ubuntu@PRECISE for kadmin/changepw@PRECISE
May 1 19:22:33 precise-krb5-server kadmind[5361]: chpw request from
10.0.100.232 for ubuntu@PRECISE: success
This is an old bug, I'll mark it as incomplete so that it expires if there are
no further comments.
** Changed in: krb5 (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/715765
Title:
Can't change kerberos password
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/715765/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
** Changed in: krb5 (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: krb5 (Ubuntu Zesty) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1683237 Title: krb5-user: kinit fails for OTP user when using kdc discovery via DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
This launchpad bug was "overloaded" and is talking about 3 issues: a) kinit fails for OTP user when using kdc discovery via DNS - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 - debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307 - debian patch: 0013-Fix-udp_preference_limit-with-SRV-records.patch b) KDC/kadmind explicit wildcard listener addresses do not use pktinfo - no LP bug - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch c) KDC/kadmind may fail to start on IPv4-only systems - no LP bug - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: also conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch I'll file separate bugs for (b) and (c) including test cases and then the SRU can address them too. I'm now working on a test case for (a). ** Bug watch added: krbdev.mit.edu/rt/ #8554 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554 ** Bug watch added: krbdev.mit.edu/rt/ #8530 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 ** Bug watch added: Debian Bug tracker #860767 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 ** Bug watch added: krbdev.mit.edu/rt/ #8531 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1683237 Title: krb5-user: kinit fails for OTP user when using kdc discovery via DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121 filed for (b) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1683237 Title: krb5-user: kinit fails for OTP user when using kdc discovery via DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] [NEW] KDC/kadmind explicit wildcard listener addresses do not use pktinfo
Public bug reported:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5:
0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
TL;DR when kinit uses udp on an aliased interface address, server
responds with the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and
with mandatory PREAUTH:
sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a
ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubu...@example.org
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds 10.0.5.155
to ens3 (it has 10.0.5.55/24 already in my case):
sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc
and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP
request using an incorrect source IP, therefore kinit never "sees" it. It
quickly times out and switches to TCP, where the server responds using the
correct source IP:
1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK]
Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273
TSecr=3523453804 WS=128
5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1
Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1
Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the
exchange happens and we get the ticket, but not before kinit repeats the
request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
** Affects: krb5 (Ubuntu)
Importance: Undecided
Assignee: Andreas Hasenack (ahasenack)
Status: In Progress
** Description changed:
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5:
0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
- TL;DR obtaining a ticket (kinit) takes longer when talking to the kdc on
- an aliased interface (i.e. eth0:1)
+ TL;DR when kinit uses udp on an aliased interface, server responds with
+ the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and
with mandatory PREAUTH:
sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a
ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.02
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Bug watch added: krbdev.mit.edu/rt/ #8530 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 ** Also affects: krb5 (Debian) via http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
With the fix applied, we get this: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real0m0.023s And the traffic happens all in UDP, since kinit got the "PREAUTH required" response (because now it came from the correct source IP) and just issued the updated request right away: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.002060386 10.0.5.155 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED 3 0.00541204610.0.5.55 → 10.0.5.155 KRB5 311 AS-REQ 4 0.012516720 10.0.5.155 → 10.0.5.55KRB5 793 AS-REP -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: krb5 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu Zesty) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5:
0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
TL;DR when kinit uses udp on an aliased interface address, server
responds with the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
- sudo apt install krb5-kdc krb5-admin-server
+ $ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
- sudo krb5_newrealm
+ $ sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and
with mandatory PREAUTH:
- sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
+ $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a
ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubu...@example.org
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds
10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
- sudo ip addr add 10.0.5.155/24 dev ens3
+ $ sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc
and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP
request using an incorrect source IP, therefore kinit never "sees" it. It
quickly times out and switches to TCP, where the server responds using the
correct source IP:
1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK]
Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273
TSecr=3523453804 WS=128
5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1
Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1
Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the
exchange happens and we get the ticket, but not before kinit repeats the
request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688121
Title:
KDC/kadmind explicit wildcard listener addresses do not use pktinfo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688310] [NEW] KDC/kadmind may fail to start on IPv4-only systems
Public bug reported: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start. Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) ** Affects: krb5 (Ubuntu) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310 filed for (c) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1683237 Title: krb5-user: kinit fails for OTP user when using kdc discovery via DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Changed in: krb5 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: krb5 (Ubuntu) Status: In Progress => Fix Released ** Changed in: krb5 (Ubuntu Zesty) Status: New => In Progress ** Changed in: krb5 (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Bug watch added: Debian Bug tracker #860767 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 ** Also affects: krb5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Ok, I got a simpler test case for (a) that doesn't involve setting up FreeIPA, PKINIT or OTP. I'll update the bug description about it tomorrow and then proceed with the SRU paperwork and actual packages. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1683237 Title: krb5-user: kinit fails for OTP user when using kdc discovery via DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
** Description changed:
+ This is fixed in krb5 1.15-2 in artful
+
+ Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554
+ Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
+ Debian patch in 1.15-2 in artful:
0013-Fix-udp_preference_limit-with-SRV-records.patch
+
+ TL;DR
+ kinit does not respect udp_preference_limit and always uses TCP to talk to
the KDC when using the DNS SRV records to locate the service and these records
show udp and tcp entries.
+
+ Steps to reproduce on zesty, with all services on one machine for
+ simplicity (I suggest to use LXD):
+
+ a) install the packages from zesty (not the proposed ones yet):
+ $ sudo apt install krb5-kdc krb5-admin-server bind9
+
+ When prompted for the realm, choose EXAMPLE.COM
+ When prompted for the KDC and Admin services server address, use the IP of
your test machine/container (not localhost or 127.0.0.1)
+ The KDC will fail to start because there is no realm yet, that's not relevant
for this bug.
+
+ b) Edit /etc/krb5.conf and make the following changes:
+ - remove the "default_realm" line from the [libdefaults] section
+ - remove the EXAMPLE.COM realm block from the [realms] section
+ - add "dns_lookup_realm = true" to the [libdefaults] section
+ - add "dns_lookup_kdc = true" to the [libdefaults] section
+ - add "udp_preference_limit = 1" to the [libdefaults] section
+
+ c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity,
we are skipping the reverse zone):
+ zone "example.com" {
+ type master;
+ file "/etc/bind/db.example.com";
+ };
+
+ d) Create /etc/bind/db.example.com with this content:
+ $TTL604800
+ @ IN SOA example.com. ubuntu.example.com. (
+ 1 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+ ;
+ @ IN NS zesty-bug1683237.example.com.
+ zesty-bug1683237IN A 10.0.100.249
+ _kerberos TXT "EXAMPLE.COM"
+ _kerberos._udp SRV 0 0 88 zesty-bug1683237
+ _kerberos._tcp SRV 0 0 88 zesty-bug1683237
+ _kerberos-master._udp SRV 0 0 88 zesty-bug1683237
+ _kerberos-master._tcp SRV 0 0 88 zesty-bug1683237
+ _kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237
+ _kpasswd._udp SRV 0 0 464 zesty-bug1683237
+
+ Use the real IP of your test machine/container where I used
+ "10.0.100.249". You can also choose another hostname if you want, just
+ be consistent across the board. I chose "zesty-bug1683237".
+
+ e) Restart bind
+ $ sudo service bind9 restart
+
+ f) Do a few quick DNS tests:
+ $ dig +short @10.0.100.249 zesty-bug1683237.example.com
+ 10.0.100.249
+ $ dig +short @10.0.100.249 -t TXT _kerberos.example.com
+ "EXAMPLE.COM"
+ $ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com
+ 0 0 88 zesty-bug1683237.example.com.
+ $ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com
+ 0 0 88 zesty-bug1683237.example.com.
+
+ g) Edit /etc/resolv.conf, ignoring the warning since we are not going to
reboot or change network interfaces:
+ nameserver 10.0.100.249 # USE YOUR IP HERE
+ search example.com
+
+ h) Create the EXAMPLE.COM kerberos realm:
+ $ sudo krb5_newrealm
+ When prompted for a password, use whatever you like. If you get an error
about no default realm, then your TXT record in DNS is not working. Retrace
your DNS configuration steps.
+
+ i) Start the kerberos services:
+ $ sudo service krb5-kdc start
+ sudo service krb5-admin-server start
+
+ j) Create a principal and test it:
+ $ sudo kadmin.local addprinc -pw ubuntu ubuntu
+ $ kinit ubuntu
+ Password for ubu...@example.com:
+ $ klist
+ (...)
+ 05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/example@example.com
+ (...)
+
+
+ Now we are ready to test the bug.
+
+ Give that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit
+ should use TCP instead of UDP. Let's check:
+
+ $ KRB5_TRACE=/dev/stderr kinit
+ [7609] 1493989890.568980: Getting initial credentials for ubu...@example.com
+ [7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM
+ [7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com.
+ [7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88
+ (...)
+
+ Uh oh, it's using UDP!
+
+ With the fixed packages, the story is different:
+ $ KRB5_TRACE=/dev/stderr kinit
+ [14287] 1493990160.760430: Getting initial credentials for ubu...@example.com
+ [14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM
+ [14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com.
+ [14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com.
+ [14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88
+ [14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88
+ (...)
+
+ And if udp_preference_limit is removed from /etc/krb5.c
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
** Description changed:
This is fixed in krb5 1.15-2 in artful
Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
Debian patch in 1.15-2 in artful:
0013-Fix-udp_preference_limit-with-SRV-records.patch
TL;DR
- kinit does not respect udp_preference_limit and always uses TCP to talk to
the KDC when using the DNS SRV records to locate the service and these records
show udp and tcp entries.
+ kinit does not respect udp_preference_limit and always uses TCP to talk to
the KDC when using the DNS SRV records to locate the service and these records
show both udp and tcp entries.
Steps to reproduce on zesty, with all services on one machine for
simplicity (I suggest to use LXD):
a) install the packages from zesty (not the proposed ones yet):
$ sudo apt install krb5-kdc krb5-admin-server bind9
When prompted for the realm, choose EXAMPLE.COM
When prompted for the KDC and Admin services server address, use the IP of
your test machine/container (not localhost or 127.0.0.1)
The KDC will fail to start because there is no realm yet, that's not relevant
for this bug.
b) Edit /etc/krb5.conf and make the following changes:
- remove the "default_realm" line from the [libdefaults] section
- remove the EXAMPLE.COM realm block from the [realms] section
- add "dns_lookup_realm = true" to the [libdefaults] section
- add "dns_lookup_kdc = true" to the [libdefaults] section
- add "udp_preference_limit = 1" to the [libdefaults] section
c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity,
we are skipping the reverse zone):
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
d) Create /etc/bind/db.example.com with this content:
$TTL604800
@ IN SOA example.com. ubuntu.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS zesty-bug1683237.example.com.
zesty-bug1683237IN A 10.0.100.249
_kerberos TXT "EXAMPLE.COM"
_kerberos._udp SRV 0 0 88 zesty-bug1683237
_kerberos._tcp SRV 0 0 88 zesty-bug1683237
_kerberos-master._udp SRV 0 0 88 zesty-bug1683237
_kerberos-master._tcp SRV 0 0 88 zesty-bug1683237
_kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237
_kpasswd._udp SRV 0 0 464 zesty-bug1683237
Use the real IP of your test machine/container where I used
"10.0.100.249". You can also choose another hostname if you want, just
be consistent across the board. I chose "zesty-bug1683237".
e) Restart bind
$ sudo service bind9 restart
f) Do a few quick DNS tests:
$ dig +short @10.0.100.249 zesty-bug1683237.example.com
10.0.100.249
$ dig +short @10.0.100.249 -t TXT _kerberos.example.com
"EXAMPLE.COM"
$ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com
0 0 88 zesty-bug1683237.example.com.
$ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com
0 0 88 zesty-bug1683237.example.com.
g) Edit /etc/resolv.conf, ignoring the warning since we are not going to
reboot or change network interfaces:
nameserver 10.0.100.249 # USE YOUR IP HERE
search example.com
h) Create the EXAMPLE.COM kerberos realm:
$ sudo krb5_newrealm
When prompted for a password, use whatever you like. If you get an error
about no default realm, then your TXT record in DNS is not working. Retrace
your DNS configuration steps.
i) Start the kerberos services:
$ sudo service krb5-kdc start
sudo service krb5-admin-server start
j) Create a principal and test it:
$ sudo kadmin.local addprinc -pw ubuntu ubuntu
$ kinit ubuntu
Password for ubu...@example.com:
$ klist
(...)
05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/example@example.com
(...)
Now we are ready to test the bug.
Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit
should use TCP instead of UDP. Let's check:
$ KRB5_TRACE=/dev/stderr kinit
[7609] 1493989890.568980: Getting initial credentials for ubu...@example.com
[7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM
[7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com.
[7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88
(...)
Uh oh, it's using UDP!
With the fixed packages, the story is different:
$ KRB5_TRACE=/dev/stderr kinit
[14287] 1493990160.760430: Getting initial credentials for ubu...@example.com
[14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM
[14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com.
[14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com.
[14287] 1493990160.770588: Initiatin
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
** Description changed:
This is fixed in krb5 1.15-2 in artful
Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
Debian patch in 1.15-2 in artful:
0013-Fix-udp_preference_limit-with-SRV-records.patch
- TL;DR
- kinit does not respect udp_preference_limit and always uses TCP to talk to
the KDC when using the DNS SRV records to locate the service and these records
show both udp and tcp entries.
+
+ [Impact]
+
+ kinit does not respect udp_preference_limit and always uses TCP to talk
+ to the KDC when using the DNS SRV records to locate the service and
+ these records show both udp and tcp entries.
+
+
+ [Test Case]
Steps to reproduce on zesty, with all services on one machine for
simplicity (I suggest to use LXD):
a) install the packages from zesty (not the proposed ones yet):
$ sudo apt install krb5-kdc krb5-admin-server bind9
When prompted for the realm, choose EXAMPLE.COM
When prompted for the KDC and Admin services server address, use the IP of
your test machine/container (not localhost or 127.0.0.1)
The KDC will fail to start because there is no realm yet, that's not relevant
for this bug.
b) Edit /etc/krb5.conf and make the following changes:
- remove the "default_realm" line from the [libdefaults] section
- remove the EXAMPLE.COM realm block from the [realms] section
- add "dns_lookup_realm = true" to the [libdefaults] section
- add "dns_lookup_kdc = true" to the [libdefaults] section
- add "udp_preference_limit = 1" to the [libdefaults] section
c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity,
we are skipping the reverse zone):
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
d) Create /etc/bind/db.example.com with this content:
$TTL604800
@ IN SOA example.com. ubuntu.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS zesty-bug1683237.example.com.
zesty-bug1683237IN A 10.0.100.249
_kerberos TXT "EXAMPLE.COM"
_kerberos._udp SRV 0 0 88 zesty-bug1683237
_kerberos._tcp SRV 0 0 88 zesty-bug1683237
_kerberos-master._udp SRV 0 0 88 zesty-bug1683237
_kerberos-master._tcp SRV 0 0 88 zesty-bug1683237
_kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237
_kpasswd._udp SRV 0 0 464 zesty-bug1683237
Use the real IP of your test machine/container where I used
"10.0.100.249". You can also choose another hostname if you want, just
be consistent across the board. I chose "zesty-bug1683237".
e) Restart bind
$ sudo service bind9 restart
f) Do a few quick DNS tests:
$ dig +short @10.0.100.249 zesty-bug1683237.example.com
10.0.100.249
$ dig +short @10.0.100.249 -t TXT _kerberos.example.com
"EXAMPLE.COM"
$ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com
0 0 88 zesty-bug1683237.example.com.
$ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com
0 0 88 zesty-bug1683237.example.com.
g) Edit /etc/resolv.conf, ignoring the warning since we are not going to
reboot or change network interfaces:
nameserver 10.0.100.249 # USE YOUR IP HERE
search example.com
h) Create the EXAMPLE.COM kerberos realm:
$ sudo krb5_newrealm
When prompted for a password, use whatever you like. If you get an error
about no default realm, then your TXT record in DNS is not working. Retrace
your DNS configuration steps.
i) Start the kerberos services:
$ sudo service krb5-kdc start
sudo service krb5-admin-server start
j) Create a principal and test it:
$ sudo kadmin.local addprinc -pw ubuntu ubuntu
$ kinit ubuntu
Password for ubu...@example.com:
$ klist
(...)
05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/example@example.com
(...)
Now we are ready to test the bug.
Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit
should use TCP instead of UDP. Let's check:
$ KRB5_TRACE=/dev/stderr kinit
[7609] 1493989890.568980: Getting initial credentials for ubu...@example.com
[7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM
[7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com.
[7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88
(...)
Uh oh, it's using UDP!
With the fixed packages, the story is different:
$ KRB5_TRACE=/dev/stderr kinit
[14287] 1493990160.760430: Getting initial credentials for ubu...@example.com
[14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM
[14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com.
[14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
** Description changed:
This is fixed in krb5 1.15-2 in artful
Upstream bug : http://krbdev.mit.edu/rt/Ticket/Display.html?id=8554
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
Debian patch in 1.15-2 in artful:
0013-Fix-udp_preference_limit-with-SRV-records.patch
-
[Impact]
kinit does not respect udp_preference_limit and always uses TCP to talk
to the KDC when using the DNS SRV records to locate the service and
these records show both udp and tcp entries.
+
+ One particular scenario that fails is when OTP (one time password) is
+ used, as reported.
+
+ The provided patch is applied upstream and debian testing.
[Test Case]
Steps to reproduce on zesty, with all services on one machine for
simplicity (I suggest to use LXD):
a) install the packages from zesty (not the proposed ones yet):
$ sudo apt install krb5-kdc krb5-admin-server bind9
When prompted for the realm, choose EXAMPLE.COM
When prompted for the KDC and Admin services server address, use the IP of
your test machine/container (not localhost or 127.0.0.1)
The KDC will fail to start because there is no realm yet, that's not relevant
for this bug.
b) Edit /etc/krb5.conf and make the following changes:
- remove the "default_realm" line from the [libdefaults] section
- remove the EXAMPLE.COM realm block from the [realms] section
- add "dns_lookup_realm = true" to the [libdefaults] section
- add "dns_lookup_kdc = true" to the [libdefaults] section
- add "udp_preference_limit = 1" to the [libdefaults] section
c) Edit /etc/bind/named.conf.local and add this zone block (for simplicity,
we are skipping the reverse zone):
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
d) Create /etc/bind/db.example.com with this content:
$TTL604800
@ IN SOA example.com. ubuntu.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS zesty-bug1683237.example.com.
zesty-bug1683237IN A 10.0.100.249
_kerberos TXT "EXAMPLE.COM"
_kerberos._udp SRV 0 0 88 zesty-bug1683237
_kerberos._tcp SRV 0 0 88 zesty-bug1683237
_kerberos-master._udp SRV 0 0 88 zesty-bug1683237
_kerberos-master._tcp SRV 0 0 88 zesty-bug1683237
_kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237
_kpasswd._udp SRV 0 0 464 zesty-bug1683237
Use the real IP of your test machine/container where I used
"10.0.100.249". You can also choose another hostname if you want, just
be consistent across the board. I chose "zesty-bug1683237".
e) Restart bind
$ sudo service bind9 restart
f) Do a few quick DNS tests:
$ dig +short @10.0.100.249 zesty-bug1683237.example.com
10.0.100.249
$ dig +short @10.0.100.249 -t TXT _kerberos.example.com
"EXAMPLE.COM"
$ dig +short @10.0.100.249 -t SRV _kerberos._udp.example.com
0 0 88 zesty-bug1683237.example.com.
$ dig +short @10.0.100.249 -t SRV _kerberos._tcp.example.com
0 0 88 zesty-bug1683237.example.com.
g) Edit /etc/resolv.conf, ignoring the warning since we are not going to
reboot or change network interfaces:
nameserver 10.0.100.249 # USE YOUR IP HERE
search example.com
h) Create the EXAMPLE.COM kerberos realm:
$ sudo krb5_newrealm
When prompted for a password, use whatever you like. If you get an error
about no default realm, then your TXT record in DNS is not working. Retrace
your DNS configuration steps.
i) Start the kerberos services:
$ sudo service krb5-kdc start
sudo service krb5-admin-server start
j) Create a principal and test it:
$ sudo kadmin.local addprinc -pw ubuntu ubuntu
$ kinit ubuntu
Password for ubu...@example.com:
$ klist
(...)
05/05/2017 13:10:01 05/05/2017 23:10:01 krbtgt/example@example.com
(...)
Now we are ready to test the bug.
Given that we have udp_preference_limit = 1 in /etc/krb5.conf, kinit
should use TCP instead of UDP. Let's check:
$ KRB5_TRACE=/dev/stderr kinit
[7609] 1493989890.568980: Getting initial credentials for ubu...@example.com
[7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM
[7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com.
[7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88
(...)
Uh oh, it's using UDP!
- With the fixed packages, the story is different:
+ With the fixed packages, kinit will use TCP, thus honoring the
udp_preference_limit setting:
$ KRB5_TRACE=/dev/stderr kinit
[14287] 1493990160.760430: Getting initial credentials for ubu...@example.com
[14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM
[14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com.
[14287] 149
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5:
0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
- TL;DR when kinit uses udp on an aliased interface address, server
- responds with the wrong source IP
+
+ [Impact]
+
+ When the KDC receives a kinit request via UDP on an aliased interface, the
response is sent with the wrong source IP and never received by kinit.
+ After a short timeout, kinit tries again with TCP, in which case it works.
But if using PREAUTH (the default), that means this first request will
correctly fail, with the server demanding PREAUTH, and the client will try
again with a changed request. The whole dance starts again: first UDP, ignored,
then TCP, and finally we have a ticket.
+
+ Most clients will just see an increased lag when obtaining tickets. If
+ for some reason 88/TCP is blocked on the KDC and clients are expected to
+ use UDP at all times, then kinit requests will just fail.
+
+ A workaround is to list the aliased interface's address in kdc_listen
+ besides the wildcard (0.0.0.0) address.
+
+ The provided patch is applied upstream and in Debian testing.
+
+
+ [Test Case]
On zesty:
a) install krb5-kdc and krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and
with mandatory PREAUTH:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a
ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubu...@example.org
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds
10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
$ sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc
and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP
request using an incorrect source IP, therefore kinit never "sees" it. It
quickly times out and switches to TCP, where the server responds using the
correct source IP:
1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK]
Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273
TSecr=3523453804 WS=128
5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1
Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1
Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the
exchange happens and we get the ticket, but not before kinit repeats the
request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
+
+ h) repeat step (g) with the updated packages. Timing should be similar
+ to the one in step (d), and a traffic capture should show UDP (and not
+ TCP) being used.
+
+ Alternativaly, you can also prefix the kinit command with
+ KRB5_TRACE=/dev/stderr and verify in the debug logs that UDP instead of
+ TCP is being used.
+
+
+ [Regression Potential]
+ This affects only UDP sockets bound to a wildcard address and makes these
sockets work
[Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Description changed: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch - getaddrinfo() called on a wildcard address might return the IPv6 "::1" - address. On machines without IPv6 support, binding to it will likely - fail and the kdc/kadmin services won't start. + + [Impact] + getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will most likely fail and the kdc/kadmin services won't start. + + The provided patch is applied upstream and in Debian testing. + + + [Test Case] Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep - 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid - 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork + 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid + 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit - Password for ubu...@example.org: + Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org - renew until 05/05/2017 14:20:13 + renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" - tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc - tcp6 0 0 :::749 :::*LISTEN 1065/kadmind - tcp6 0 0 :::464 :::*LISTEN 1065/kadmind - udp6 0 0 :::88 :::* 1078/krb5kdc - udp6 0 0 :::464 :::* 1065/kadmind - udp6 0 0 :::750 :::* 1078/krb5kdc + tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc + tcp6 0 0 :::749 :::*LISTEN 1065/kadmind + tcp6 0 0 :::464 :::*LISTEN 1065/kadmind + udp6 0 0 :::88 :::* 1078/krb5kdc + udp6 0 0 :::464 :::* 1065/kadmind + udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: - $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log + $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) + + + With the updated packages, krb5-kdc and krb5-admin-server will startup just fine in the same conditions. + + + [Regression Potential] + We now tolerate a EAFNOSUPPORT error as long as at least one socket was bound to correctly. Maybe there could be a scenario when this one bound socket is useless, or unexpected: in that case, bailing out because of the EAFNOSUPPORT error could be seen as a more robust approach because it's immediately visible,
[Bug 1677329] Re: libpam-winbind: unable to dlopen
I'm taking a look. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
Where it works: 2:4.3.11+dfsg-0ubuntu0.14.04.7 trusty 2:4.3.11+dfsg-0ubuntu0.16.04.6 xenial 2:4.4.5+dfsg-2ubuntu5.5 yakkety Where it fails with this dlopen error: 2:4.5.8+dfsg-0ubuntu0.17.04.1 zesty artful: probably fails as well, as it's the same package still (but I haven't tried) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
The patch d/patches/fix-1584485.patch got reintroduced in 2:4.5.4+dfsg- 1ubuntu1 for zesty and it's what causes the problem. Previously introduced in https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg- 0ubuntu0.14.04.2 to fix said bug, it was quickly reverted in https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg- 0ubuntu0.14.04.3. We either need to revert that patch again, or make the static linking work properly. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1455818] Re: [SRU] mysql-server-5.6.postrm fails when /usr/share/mysql-common/configure-symlinks doesn't exist
Yakkety now has mysql 5.7.18-0ubuntu0.16.10.1 in yakkety-updates. I tried a quick release-upgrade from up-to-date xenial which has 5.7.18-0ubuntu0.16.04.1 and it worked, no package installation errors. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1455818 Title: [SRU] mysql-server-5.6.postrm fails when /usr/share/mysql-common /configure-symlinks doesn't exist To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1455818/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
$ dpkg-shlibdeps -v debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so >> Scanning debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so >> (for Depends field) Library libpthread.so.0 found in /lib/x86_64-linux-gnu/libpthread.so.0 Library libbsd.so.0 found in /lib/x86_64-linux-gnu/libbsd.so.0 Library libtalloc.so.2 found in /usr/lib/x86_64-linux-gnu/libtalloc.so.2 Library libpam.so.0 found in /lib/x86_64-linux-gnu/libpam.so.0 Library libc.so.6 found in /lib/x86_64-linux-gnu/libc.so.6 Using symbols file /var/lib/dpkg/info/libpam0g:amd64.symbols for libpam.so.0 Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libpthread.so.0 Using symbols file /var/lib/dpkg/info/libtalloc2:amd64.symbols for libtalloc.so.2 Using symbols file /var/lib/dpkg/info/libbsd0:amd64.symbols for libbsd.so.0 Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libc.so.6 dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLookupName: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxChangeUserPasswordEx: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxCreate: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxInterfaceDetails: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxFree: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLogonUser: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcFreeMemory: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcAddNamedBlob: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLookupSid: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcSidToStringBuf: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLogoffUserEx: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcErrorString: it's probably a plugin dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxGetpwnam: it's probably a plugin These missing symbols come from libwbclient. Note how wbcCtxFree is among them: that's the missing one you get when you copy the module to /lib/security. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
I just did a test build with this and pam_winbind worked for the super simple
login test case:
http://pastebin.ubuntu.com/24536839/
diff -Nru samba-4.5.8+dfsg/debian/patches/fix-1584485.patch
samba-4.5.8+dfsg/debian/patches/fix-1584485.patch
--- samba-4.5.8+dfsg/debian/patches/fix-1584485.patch 2017-02-09
00:28:33.0 +
+++ samba-4.5.8+dfsg/debian/patches/fix-1584485.patch 2017-05-08
13:08:52.0 +
@@ -83,7 +83,7 @@
bld.SAMBA_LIBRARY('pamwinbind',
source='pam_winbind.c',
- deps='talloc wbclient winbind-client tiniparser pam samba_intl',
-+ deps='pamwinbind-static',
++ deps='wbclient pamwinbind-static',
cflags='-DLOCALEDIR=\"%s/locale\"' % bld.env.DATADIR,
realname='pam_winbind.so',
- install_path='${PAMMODULESDIR}'
There are plenty of other code paths that have to be exercized. Maybe
other libraries are missing.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1677329
Title:
libpam-winbind: unable to dlopen
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
And dpkg-shlibdeps is happy: http://pastebin.ubuntu.com/24536871/ ubuntu@andreas-zesty-samba-test:~/deb/samba/samba-4.5.8+dfsg⟫ dpkg-shlibdeps -v debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so >> Scanning debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so >> (for Depends field) Library libpthread.so.0 found in /lib/x86_64-linux-gnu/libpthread.so.0 Library libwbclient.so.0 found in debian/libwbclient0/usr/lib/x86_64-linux-gnu/libwbclient.so.0 Library libbsd.so.0 found in /lib/x86_64-linux-gnu/libbsd.so.0 Library libtalloc.so.2 found in /usr/lib/x86_64-linux-gnu/libtalloc.so.2 Library libpam.so.0 found in /lib/x86_64-linux-gnu/libpam.so.0 Library libc.so.6 found in /lib/x86_64-linux-gnu/libc.so.6 No associated package found for debian/libwbclient0/usr/lib/x86_64-linux-gnu/libwbclient.so.0 Using symbols file debian/libwbclient0/DEBIAN/symbols for libwbclient.so.0 Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libc.so.6 Using symbols file /var/lib/dpkg/info/libtalloc2:amd64.symbols for libtalloc.so.2 Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libpthread.so.0 Using symbols file /var/lib/dpkg/info/libbsd0:amd64.symbols for libbsd.so.0 Using symbols file /var/lib/dpkg/info/libpam0g:amd64.symbols for libpam.so.0 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
** Changed in: samba (Ubuntu) Status: Confirmed => In Progress ** Changed in: samba (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: samba (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
** Changed in: samba (Ubuntu Zesty) Status: New => In Progress ** Changed in: samba (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: samba (Ubuntu Zesty) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
A quick pam_winbind authentication test worked with that modification to the patch: http://pastebin.ubuntu.com/24539032/ May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.100.1 user=BUGTEST\andreas May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): [pamh: 0x558b74961800] ENTER: pam_sm_authenticate (flags: 0x0001) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): getting password (0x0389) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): pam_get_item returned a password May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): Verify user 'BUGTEST\andreas' May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE' May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling krb5 login flag May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling cached login flag May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): request wbcLogonUser succeeded May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): user 'BUGTEST\andreas' granted access May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): Returned user was 'BUGTEST\andreas' May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): [pamh: 0x558b74961800] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: Accepted password for BUGTEST\\andreas from 10.0.100.1 port 51760 ssh2 May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] ENTER: pam_sm_setcred (flags: 0x0002) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_unix(sshd:session): session opened for user BUGTEST\andreas by (uid=0) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:session): [pamh: 0x558b74961800] ENTER: pam_sm_open_session (flags: 0x) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:session): [pamh: 0x558b74961800] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS) May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_systemd(sshd:session): Failed to create session: No such file or directory May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] ENTER: pam_sm_setcred (flags: 0x0002) May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) and: andreas@nsn7:~$ ssh BUGTEST\\\andreas@10.0.100.99 Warning: Permanently added '10.0.100.99' (ECDSA) to the list of known hosts. BUGTEST\andreas@10.0.100.99's password: Welcome to Ubuntu 17.04 (GNU/Linux 4.4.0-77-generic x86_64) (...) Could not chdir to home directory /home/BUGTEST/andreas: No such file or directory BUGTEST\andreas@zesty-pamwinbind-1677329:/$ id uid=1(BUGTEST\andreas) gid=1(BUGTEST\none) groups=1(BUGTEST\none),10002(BUILTIN\users) BUGTEST\andreas@zesty-pamwinbind-1677329:/$ grep andreas /etc/passwd BUGTEST\andreas@zesty-pamwinbind-1677329:/$ There are many more things to test here, though. Namely, kerberos integration. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1455818] Re: [SRU] mysql-server-5.6.postrm fails when /usr/share/mysql-common/configure-symlinks doesn't exist
** Changed in: mysql-5.7 (Ubuntu) Status: Confirmed => Incomplete ** Changed in: mysql-5.7 (Ubuntu Xenial) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1455818 Title: [SRU] mysql-server-5.6.postrm fails when /usr/share/mysql-common /configure-symlinks doesn't exist To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.6/+bug/1455818/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
This is a packaging merge proposal, you should use something like "dpkg- buildpackage -uc -us -b". If you just run ./configure and make in this branch you won't even get the debian patches applied. Unless I misunderstood your goal here, sorry. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1669193] Re: feature request - json stats output
** Changed in: bind9 (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: bind9 (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1669193 Title: feature request - json stats output To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1669193/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
Thanks for your test, @jmurchik! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: vsftpd 500 oops stack smashing detected - Ubuntu 16.04
I posted some debugging in https://bugs.launchpad.net/ubuntu/+source /pam-mysql/+bug/1574900/comments/27 TL;DR - pam_mysql.c buf in pam_mysql_check_passwd() is overflowing - my_make_scrambled_password() is NOT returning content that can be compared to what is stored in the mysql DB when using PASSWORD(). - my_make_scrambled_password_sha1() seems to be the right one to use, as it returns a string of hex values, but it's not exported Not sure where this should continue, here or there :) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: vsftpd 500 oops stack smashing detected - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1677329] Re: libpam-winbind: unable to dlopen
You have to apply all the patches from the Debian package. I suggest to get the git branch and do a dpkg-buildpackage -uc -us -b On May 13, 2017 11:25, "Jason Lynn" wrote: > Also, should the symlink to /lib/x86_64-linux-gnu/security still be > required after this? > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1677329 > > Title: > libpam-winbind: unable to dlopen > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/ > 1677329/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1690270] Re: enable-esm should also install ca-certificates
Sorry, dependency* -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1690270 Title: enable-esm should also install ca-certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1690270/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1690270] Re: enable-esm should also install ca-certificates
Shouldn't apt-transport-https have a dependenci on ca-certificates? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ubuntu-advantage-tools in Ubuntu. https://bugs.launchpad.net/bugs/1690270 Title: enable-esm should also install ca-certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1690270/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
On it. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5:
0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
-
[Impact]
- When the KDC receives a kinit request via UDP on an aliased interface, the
response is sent with the wrong source IP and never received by kinit.
+ When IPv6 is disabled and the KDC receives a kinit request via UDP on an
aliased interface, the response is sent with the wrong source IP and never
received by kinit.
After a short timeout, kinit tries again with TCP, in which case it works.
But if using PREAUTH (the default), that means this first request will
correctly fail, with the server demanding PREAUTH, and the client will try
again with a changed request. The whole dance starts again: first UDP, ignored,
then TCP, and finally we have a ticket.
Most clients will just see an increased lag when obtaining tickets. If
for some reason 88/TCP is blocked on the KDC and clients are expected to
use UDP at all times, then kinit requests will just fail.
A workaround is to list the aliased interface's address in kdc_listen
besides the wildcard (0.0.0.0) address.
The provided patch is applied upstream and in Debian testing.
-
[Test Case]
On zesty:
a) install krb5-kdc and krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and
with mandatory PREAUTH:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a
ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubu...@example.org
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds
10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
$ sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc
and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP
request using an incorrect source IP, therefore kinit never "sees" it. It
quickly times out and switches to TCP, where the server responds using the
correct source IP:
1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK]
Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273
TSecr=3523453804 WS=128
5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1
Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1
Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the
exchange happens and we get the ticket, but not before kinit repeats the
request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
h) repeat step (g) with the updated packages. Timing should be similar
to the one in step (d), and a traffic capture should show UDP (and not
TCP) being used.
Alternativaly, you can also prefix the kinit command with
KRB5_TRACE=/dev/stderr and verify in the debug logs that UDP instead of
TCP is being used.
-
[Regression Potential]
This affects only UD
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5:
0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
[Impact]
- When the KDC receives a kinit request via UDP on an aliased interface, the
response is sent with the wrong source IP and never received by kinit.
+ When the KDC is configured to listen on the wildcard address (0.0.0.0) and
receives a kinit request via UDP on an aliased interface, the response is sent
with the wrong source IP and never received by kinit.
After a short timeout, kinit tries again with TCP, in which case it works.
But if using PREAUTH (the default), that means this first request will
correctly fail, with the server demanding PREAUTH, and the client will try
again with a changed request. The whole dance starts again: first UDP, ignored,
then TCP, and finally we have a ticket.
Most clients will just see an increased lag when obtaining tickets. If
for some reason 88/TCP is blocked on the KDC and clients are expected to
use UDP at all times, then kinit requests will just fail.
A workaround is to list the aliased interface's address in kdc_listen
besides the wildcard (0.0.0.0) address.
The provided patch is applied upstream and in Debian testing.
[Test Case]
On zesty:
a) install krb5-kdc and krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and
with mandatory PREAUTH:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a
ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubu...@example.org
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds
10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
$ sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc
and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP
request using an incorrect source IP, therefore kinit never "sees" it. It
quickly times out and switches to TCP, where the server responds using the
correct source IP:
1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK]
Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273
TSecr=3523453804 WS=128
5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1
Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1
Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the
exchange happens and we get the ticket, but not before kinit repeats the
request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
h) repeat step (g) with the updated packages. Timing should be similar
to the one in step (d), and a traffic capture should show UDP (and not
TCP) being used.
Alternativaly, you can also prefix the kinit command with
KRB5_TRACE=/dev/stderr and verify in the debug logs that UDP instead of
TCP is being used.
[Regression P
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
I updated the test case with step (b.1) which I had forgotten. Here it goes: Reproducing the error case with 1.15-1, we can see that UDP is tried first, is ignored, and then TCP is used one second later: $ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1 Candidate: 1.15-1 Version table: *** 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages 100 /var/lib/dpkg/status $ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu [2848] 1494852873.104617: Getting initial credentials for ubu...@example.org [2848] 1494852873.105449: Looked up etypes in keytab: aes256-cts, aes128-cts [2848] 1494852873.105633: Sending request (172 bytes) to EXAMPLE.ORG [2848] 1494852873.105684: Resolving hostname 10.0.100.249 [2848] 1494852873.105840: Sending initial UDP request to dgram 10.0.100.249:88 [2848] 1494852874.108235: Initiating TCP connection to stream 10.0.100.249:88 [2848] 1494852874.108528: Sending TCP request to stream 10.0.100.249:88 [2848] 1494852874.110518: Received answer (254 bytes) from stream 10.0.100.249:88 [2848] 1494852874.110549: Terminating TCP connection to stream 10.0.100.249:88 [2848] 1494852874.285214: Response was not from master KDC [2848] 1494852874.285346: Received error from KDC: -1765328359/Additional pre-authentication required ... After installing the update, UDP is again tried first but this time kinit receives an immediate answer and the exchange remains on UDP: $ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1ubuntu0.1 Candidate: 1.15-1ubuntu0.1 Version table: *** 1.15-1ubuntu0.1 500 500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages 100 /var/lib/dpkg/status 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages $ KRB5_TRACE=/dev/stdout kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu [10150] 1494853325.393939: Getting initial credentials for ubu...@example.org [10150] 1494853325.395247: Looked up etypes in keytab: aes256-cts, aes128-cts [10150] 1494853325.395665: Sending request (172 bytes) to EXAMPLE.ORG [10150] 1494853325.395851: Resolving hostname 10.0.100.249 [10150] 1494853325.396225: Sending initial UDP request to dgram 10.0.100.249:88 [10150] 1494853325.398161: Received answer (254 bytes) from dgram 10.0.100.249:88 [10150] 1494853325.648728: Response was not from master KDC [10150] 1494853325.648835: Received error from KDC: -1765328359/Additional pre-authentication required ** Tags added: verification-done-zesty ** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
Reproducing the problem with 1.15-1: ubuntu@15-89:~$ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1 Candidate: 1.15-1 Version table: *** 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages 100 /var/lib/dpkg/status After rebooting with no IPv6 support, the kerberos services are not running: ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep ubuntu@15-89:~$ And we have the expected failure in auth.log: ubuntu@15-89:~$ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 15 13:23:40 15-89 kadmind[1195]: Failed setting up a UDP socket (for ::.464) May 15 13:23:40 15-89 krb5kdc[1196]: Failed setting up a UDP socket (for ::.750) May 15 13:24:34 15-89 sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/grep -E (kadmind|krb5kdc).*Failed /var/log/auth.log Now we install the fixed packages from proposed: ubuntu@15-89:~$ apt-cache policy krb5-kdc krb5-kdc: Installed: 1.15-1ubuntu0.1 Candidate: 1.15-1ubuntu0.1 Version table: *** 1.15-1ubuntu0.1 500 500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/universe amd64 Packages 100 /var/lib/dpkg/status 1.15-1 500 500 http://br.archive.ubuntu.com/ubuntu zesty/universe amd64 Packages Immediately after that the services are running already: ubuntu@15-89:~$ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 2377 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 2443 ?Ss 0:00 /usr/sbin/kadmind -nofork We still have errors in auth.log, but they are not fatal: May 15 13:26:49 15-89 kadmind[2443]: Address family not supported by protocol - Cannot create TCP server socket on ::.464 May 15 13:26:49 15-89 kadmind[2443]: Failed setting up a UDP socket (for ::.464) And we are bound to IPv4 sockets only as expected: ubuntu@15-89:~$ sudo netstat -anp|grep -E "^(tcp|udp).*(krb5kdc|kadmind)" tcp0 0 0.0.0.0:88 0.0.0.0:* LISTEN 2377/krb5kdc tcp0 0 0.0.0.0:749 0.0.0.0:* LISTEN 2443/kadmind tcp0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2443/kadmind udp0 0 0.0.0.0:88 0.0.0.0:* 2377/krb5kdc udp0 0 0.0.0.0:464 0.0.0.0:* 2443/kadmind udp0 0 0.0.0.0:750 0.0.0.0:* 2377/krb5kdc ** Tags removed: verification-needed ** Tags added: verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: vsftpd 500 oops stack smashing detected - Ubuntu 16.04
pure-ftpd sorted this out by reimplementing make_scrambled_password() if
it's not exported:
https://github.com/jedisct1/pure-
ftpd/commit/2db6b50c7b7c638104bd9639994f0574e8f4813c
I don't know when make_scrambled_password() stopped being exported in
libmysqlclient, but libmysqlclient's my_make_scrambled_password() is NOT a
replacement for it. The right replacement for it is
my_make_scrambled_password_sha1(), and currently make_scrambled_password() is a
wrapper around my_make_scrambled_password_sha1(), but neither are exported in
libmysqlclient:
/*
Wrapper around my_make_scrambled_password() to maintain client lib ABI
compatibility.
In server code usage of my_make_scrambled_password() is preferred to
avoid strlen().
SYNOPSIS
make_scrambled_password()
buf OUT buffer of size 2*SHA1_HASH_SIZE + 2 to store hex string
password IN NULL-terminated password string
*/
void make_scrambled_password(char *to, const char *password)
{
my_make_scrambled_password_sha1(to, password, strlen(password));
}
So pam_mysql should probably reimplement my_make_scrambled_password_sha1() in
order to support passwords hashed with the server PASSWORD() function (the
crypt=2 option in pam_mysql).
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1574911
Title:
vsftpd 500 oops stack smashing detected - Ubuntu 16.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: vsftpd 500 oops stack smashing detected - Ubuntu 16.04
** Changed in: pam-mysql (Ubuntu) Status: New => Confirmed ** Changed in: vsftpd (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: vsftpd 500 oops stack smashing detected - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: vsftpd 500 oops stack smashing detected - Ubuntu 16.04
Submitted an issue against one of the forks of pam_mysql: https://github.com/NigelCunningham/pam-MySQL/issues/29 ** Bug watch added: github.com/NigelCunningham/pam-MySQL/issues #29 https://github.com/NigelCunningham/pam-MySQL/issues/29 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: vsftpd 500 oops stack smashing detected - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: vsftpd 500 oops stack smashing detected - Ubuntu 16.04
Also submitted an issue against pure-ftpd, because it suffers from the same problem: https://github.com/jedisct1/pure-ftpd/issues/58 ** Bug watch added: github.com/jedisct1/pure-ftpd/issues #58 https://github.com/jedisct1/pure-ftpd/issues/58 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: vsftpd 500 oops stack smashing detected - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: vsftpd 500 oops stack smashing detected - Ubuntu 16.04
pure-ftpd just fixed it: https://github.com/jedisct1/pure- ftpd/commit/27443b29320d85352d8b52c0120836843e10c0f9 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: vsftpd 500 oops stack smashing detected - Ubuntu 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1677329] Re: libpam-winbind: unable to dlopen
I can upload the packages to a ppa for you to take a look On Tue, May 16, 2017 at 9:20 AM, Jason Lynn wrote: > Thanks. I was able to finally get it to build but after installing, the > samba service will no longer start. It simply times out and leaves > nothing the the syslog or the Samba log explaining the reason: > > Job for smbd.service failed because a timeout was exceeded. > See "systemctl status smbd.service" and "journalctl -xe" for details. > invoke-rc.d: initscript smbd, action "start" failed. > ● smbd.service - Samba SMB Daemon >Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor > preset: enabled) >Active: failed (Result: timeout) since Mon 2017-05-15 17:18:22 EDT; 6ms > ago > Docs: man:smbd(8) >man:samba(7) >man:smb.conf(5) > Process: 2812 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=killed, > signal=TERM) > Main PID: 2812 (code=killed, signal=TERM) > CPU: 80ms > > May 15 17:16:51 ubunbtu-ws systemd[1]: Starting Samba SMB Daemon... > May 15 17:16:51 ubunbtu-ws smbd[2812]: [2017/05/15 17:16:51.993512, 0] > ../lib/util/become_daemon.c:124(daemon_ready) > May 15 17:16:51 ubunbtu-ws smbd[2812]: STATUS=daemon 'smbd' finished > starting up and ready to serve connections > May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Start operation timed > out. Terminating. > May 15 17:18:22 ubunbtu-ws systemd[1]: Failed to start Samba SMB Daemon. > May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Unit entered failed > state. > May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Failed with result > 'timeout'. > > I guess I'm just going to stay broken here until this goes live. I'm > sure I did something else wrong. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1677329 > > Title: > libpam-winbind: unable to dlopen > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/ > 1677329/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: my_make_scrambled_password() is not a replacement for make_scrambled_password()
** Summary changed: - vsftpd 500 oops stack smashing detected - Ubuntu 16.04 + my_make_scrambled_password() is not a replacement for make_scrambled_password() -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: my_make_scrambled_password() is not a replacement for make_scrambled_password() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: my_make_scrambled_password() is not a replacement for make_scrambled_password()
** Description changed:
- Ubuntu 16.04 x64 and Ubuntu 16.04 x86
- VSFTPD Version: vsftpd_3.0.3-3ubuntu2.debian
+ artful libpam-mysql-0.8.0-1
- When trying to use a fixed version of libpam-mysql (the one's I patched
- here: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574900)
- with VSFTPD, authentication passes (no failed status in the
- /var/log/auth.log file meaning libpam-mysql is working), but then VSFTPD
- fails to login for a virtual user and displays the following error:
+ pam_mysql, when crypt=2 is set in its configuration, it expects the
+ password to be hashed according to the server-side PASSWORD() SQL
+ function. From its README:
- Looking up localhost
- Trying localhost:21
- Connected to localhost:21
- 220 Welcome to vsFTPd Server
- USER test
+ 2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the
+ encryption function used by PAM-MySQL is different from that of the
+ MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client
+ API instead of using PASSWORD() SQL function in the query.
- 331 Please specify the password.
- PASS
- *** stack smashing detected ***: /usr/sbin/vsftpd terminated
- 500 OOPS: priv_sock_get_result
- Disconnecting from site localhost
+ pam_mysql is indeed using an incorrect hash function: it's using
+ my_make_scrambled_password() as a replacement for
+ make_scrambled_password() to locally hash the given password and compare
+ it with what is stored in the database:
- Here is my vsftpd.conf:
+ char buf[42];
+ my_make_scrambled_password(buf, passwd, strlen(passwd));
+ vresult = strcmp(row[0], buf);
- listen=YES
- anonymous_enable=NO
- local_enable=YES
- write_enable=YES
- local_umask=0002
- file_open_mode=0775
- dirmessage_enable=YES
- xferlog_enable=YES
- connect_from_port_20=YES
- nopriv_user=ftp
- chroot_local_user=YES
- secure_chroot_dir=/var/run/vsftpd
- pam_service_name=vsftpd
- rsa_cert_file=/etc/ssl/certs/vsftpd.pem
- guest_enable=YES
- guest_username=ftp
- local_root=/var/www/vhosts/$USER
- user_sub_token=$USER
- virtual_use_local_privs=YES
- user_config_dir=/etc/vsftpd_user_conf
- local_max_rate=200 # bytes per sec, 2Mbytes per sec
- max_clients=50 # to avoid DOS attack, if you have a huge server, increase
this..
- ftpd_banner=Welcome to vsFTPd Server
- allow_writeable_chroot=YES
- seccomp_sandbox=NO
+ row[0] is the result of the SQL query that fetches the user's password
+ hash
- Contents of /etc/pam.d/vsftpd:
+ There are two problems with this:
+ a) my_make_scrambled_password() writes CRYPT_MAX_PASSWORD_SIZE bytes to buf,
and that's way more than 42. From the mysql source code:
+ #define CRYPT_SALT_LENGTH 20
+ #define CRYPT_MAGIC_LENGTH 3
+ #define CRYPT_PARAM_LENGTH 13
+ #define SHA256_HASH_LENGTH 43
+ #define CRYPT_MAX_PASSWORD_SIZE (CRYPT_SALT_LENGTH + \
+ SHA256_HASH_LENGTH + \
+ CRYPT_MAGIC_LENGTH + \
+ CRYPT_PARAM_LENGTH)
- auth required pam_mysql.so user=ehcp passwd=MYPASSHERE
host=localhost db=ehcp table=ftpaccounts usercolumn=ftpusername
passwdcolumn=password crypt=2
- account required pam_mysql.so user=ehcp passwd=MYPASSHERE
host=localhost db=ehcp table=ftpaccounts usercolumn=ftpusername
passwdcolumn=password crypt=2
+ 42 is the length of the hexified hash produced by
+ make_scrambled_password(), not my_make_scrambled_password().
- Not seeing anything in vsftpd's log that is helpful or in the syslog.
+ b) the output of my_make_scrambled_password() is not a hex string like
+ "*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19", but something like
+ "$5$9Ws#033Q.TZtI4^?X#026y@@{e2$OxTGgW3PiJUVZ/AChiJgAdIWQ2u2B8kA/hHZgqNj.y.".
+ So even if buf had the correct size, the comparison would never match
+ what's produced by PASSWORD() on the server side. As the documentation
+ admitted could happen.
- Same exact setup works fine in Ubuntu 14.04 when applying this patch in
- VSFTPD:
- http://askubuntu.com/questions/126625/libgcc-s-so-1-must-be-installed-
- for-pthread-cancel-to-work#answer-404523
+ If my_make_scrambled_password() is not found in the system mysqlclient
library, pam_mysql will reimplement it, and funnily enough this
reimplementation actually mimicks the desired behavior of
make_scrambled_password() and produces an hexified hash compatible with the
server's PASSWORD() function and with the right length of 42 bytes.
- The above patch should really be included in all versions of VSFTPD for
- Ubuntu / Debian too. Here's hoping to smoother vsftpd package releases
- in newer versions of Ubuntu.
+ So, if mysqlclient doesn't export my_make_scrambled_password(),
+ pam_mysql will work because it will use its own implementation. But in
+ the ubuntu case, my_make_scrambled_password() is exported and used, and
+ leads to this bug.
- This list of VSFTPD fixes per Ubuntu release will need to grow for
- Ubuntu 16.04:
-
-
http://ehcpforce.tk/faq/in
[Bug 1574911] Re: my_make_scrambled_password() is not a replacement for make_scrambled_password()
** Description changed:
artful libpam-mysql-0.8.0-1
pam_mysql, when crypt=2 is set in its configuration, it expects the
password to be hashed according to the server-side PASSWORD() SQL
function. From its README:
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the
encryption function used by PAM-MySQL is different from that of the
MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client
API instead of using PASSWORD() SQL function in the query.
pam_mysql is indeed using an incorrect hash function: it's using
my_make_scrambled_password() as a replacement for
make_scrambled_password() to locally hash the given password and compare
it with what is stored in the database:
- char buf[42];
- my_make_scrambled_password(buf, passwd, strlen(passwd));
- vresult = strcmp(row[0], buf);
+ char buf[42];
+ my_make_scrambled_password(buf, passwd, strlen(passwd));
+ vresult = strcmp(row[0], buf);
row[0] is the result of the SQL query that fetches the user's password
hash
There are two problems with this:
a) my_make_scrambled_password() writes CRYPT_MAX_PASSWORD_SIZE bytes to buf,
and that's way more than 42. From the mysql source code:
#define CRYPT_SALT_LENGTH 20
#define CRYPT_MAGIC_LENGTH 3
#define CRYPT_PARAM_LENGTH 13
#define SHA256_HASH_LENGTH 43
#define CRYPT_MAX_PASSWORD_SIZE (CRYPT_SALT_LENGTH + \
- SHA256_HASH_LENGTH + \
- CRYPT_MAGIC_LENGTH + \
- CRYPT_PARAM_LENGTH)
+ SHA256_HASH_LENGTH + \
+ CRYPT_MAGIC_LENGTH + \
+ CRYPT_PARAM_LENGTH)
42 is the length of the hexified hash produced by
make_scrambled_password(), not my_make_scrambled_password().
b) the output of my_make_scrambled_password() is not a hex string like
"*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19", but something like
"$5$9Ws#033Q.TZtI4^?X#026y@@{e2$OxTGgW3PiJUVZ/AChiJgAdIWQ2u2B8kA/hHZgqNj.y.".
So even if buf had the correct size, the comparison would never match
what's produced by PASSWORD() on the server side. As the documentation
admitted could happen.
-
- If my_make_scrambled_password() is not found in the system mysqlclient
library, pam_mysql will reimplement it, and funnily enough this
reimplementation actually mimicks the desired behavior of
make_scrambled_password() and produces an hexified hash compatible with the
server's PASSWORD() function and with the right length of 42 bytes.
+ If my_make_scrambled_password() is not found in the system mysqlclient
+ library, pam_mysql will reimplement it, and funnily enough this
+ reimplementation actually mimicks the desired behavior of
+ make_scrambled_password() and produces an hexified hash compatible with
+ the server's PASSWORD() function and with the right length of 42 bytes.
So, if mysqlclient doesn't export my_make_scrambled_password(),
pam_mysql will work because it will use its own implementation. But in
the ubuntu case, my_make_scrambled_password() is exported and used, and
leads to this bug.
To reproduce this problem, setup mysql, vsftpd and libpam-mysql on
artful as explained in bug #1574900.
+
+ I cannot explain why vsftpd doesn't crash in this scenario in artful:
+ gcc's stack protector isn't triggered, nor is a segfault. In debugging I
+ can see the buf variable getting way more than 42 bytes written to it,
+ and if I add another stack variable next to it, it gets corrupted. But
+ no crashes, just an authentication error.
** Description changed:
artful libpam-mysql-0.8.0-1
+
+ TL;DR
+
+ pam_mysql in artful will in the best case scenario just fail to
+ authenticate users whose passwords were hashed with the server-side
+ PASSWORD() SQL function. There is a buffer overflow happening, but it
+ doesn't trigger a crash for some reason.
+
+ Detailed explanation follows.
pam_mysql, when crypt=2 is set in its configuration, it expects the
password to be hashed according to the server-side PASSWORD() SQL
function. From its README:
2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the
encryption function used by PAM-MySQL is different from that of the
MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client
API instead of using PASSWORD() SQL function in the query.
pam_mysql is indeed using an incorrect hash function: it's using
my_make_scrambled_password() as a replacement for
make_scrambled_password() to locally hash the given password and compare
it with what is stored in the database:
char buf[42];
my_make_scrambled_password(buf, passwd, strlen(passwd));
vresult = strcmp(row[0], buf);
row[0] is the result of the SQL query that fetches the user's password
hash
There are two problems with this:
a) my_make_scrambled_password() writes CRYPT_MAX_PAS
[Bug 1574911] Re: my_make_scrambled_password() is not a replacement for make_scrambled_password()
Debian stretch isn't affected. There, libmariadbclient.so.18 exports a my_make_scrambled_password() that produces the correct/expected hexified hash. Which I wonder if it's what libmysqlclient.so.18 did (artful is at .20). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: my_make_scrambled_password() is not a replacement for make_scrambled_password() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677329] Re: libpam-winbind: unable to dlopen
They are building, you can check progress here: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-1677329/+packages samba is a big package, I bet it will take a few hours to build and publish. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1677329 Title: libpam-winbind: unable to dlopen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1574911] Re: my_make_scrambled_password() is not a replacement for make_scrambled_password()
Opened upstream bug against mysql explaining the situation. https://bugs.mysql.com/bug.php?id=86357 ** Bug watch added: MySQL Bug System #86357 http://bugs.mysql.com/bug.php?id=86357 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1574911 Title: my_make_scrambled_password() is not a replacement for make_scrambled_password() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-mysql/+bug/1574911/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1691826] Re: systemd script for sshd allows it to start too early should wait for authentication services...
Can you share your nss_ldap configuration, as well as /var/log/syslog and /var/log/auth.log? And, just to confirm, your sshd user is NOT in ldap, right? ** Changed in: cloud-init (Ubuntu) Status: New => Incomplete ** Changed in: openssh (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1691826 Title: systemd script for sshd allows it to start too early should wait for authentication services... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1691826/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1692753] Re: package samba 2:4.3.11+dfsg-0ubuntu0.16.04.6 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
I can't find the failure reason in the attached logs. Could you please attach /var/log/samba/log.smbd? ** Changed in: samba (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1692753 Title: package samba 2:4.3.11+dfsg-0ubuntu0.16.04.6 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1692753/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1692968] Re: ldb: unable to stat module ...
I'm taking a look at this. ** Changed in: samba (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1692968 Title: ldb: unable to stat module ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1692968/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1610361] Re: /usr/bin/deb-systemd-helper: error: systemctl preset failed on samba-ad-dc.service: No such file or directory
Debian's workaround: https://anonscm.debian.org/cgit/pkg- samba/samba.git/commit/?id=61eaeba2a7a2df61b681b4ea545811569de421d0 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1610361 Title: /usr/bin/deb-systemd-helper: error: systemctl preset failed on samba- ad-dc.service: No such file or directory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1610361/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1692968] Re: ldb: unable to stat module ...
Have you disabled install-recommends? Because samba-dsdb-modules is in the Recommends list for the samba package: root@zesty-samba-1692968:~# apt-cache show samba|grep Recommends Recommends: attr, logrotate, samba-dsdb-modules, samba-vfs-modules Recommends: attr, logrotate, samba-dsdb-modules, samba-vfs-modules -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1692968 Title: ldb: unable to stat module ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1692968/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1692968] Re: ldb: unable to stat module ...
Can you install samba-dsdb-modules? That being said, even without that package, joining the domain worked: root@zesty-samba-1692968:~# l /usr/lib/x86_64-linux-gnu/samba/ldb ls: cannot access '/usr/lib/x86_64-linux-gnu/samba/ldb': No such file or directory root@zesty-samba-1692968:~# kinit Administrator Password for administra...@example.com: root@zesty-samba-1692968:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@example.com Valid starting Expires Service principal 05/24/2017 00:10:37 05/24/2017 10:10:37 krbtgt/example@example.com renew until 05/25/2017 00:10:35 root@zesty-samba-1692968:~# net ads join --no-dns-updates -k ldb: unable to stat module /usr/lib/x86_64-linux-gnu/samba/ldb : No such file or directory Using short domain name -- EXAMPLE Joined 'MEMBERONE' to dns domain 'example.com' root@zesty-samba-1692968:~# Is this bug just about the error message, or about actually joining the AD domain? ** Changed in: samba (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1692968 Title: ldb: unable to stat module ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1692968/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1693288] Re: package krb5-locales 1.15-1 failed to install/upgrade: El paquete está en un estado grave de inconsistencia - debe reinstalarlo antes de intentar su configuración.
krb5 had a failed upgrade on May 22nd: Start-Date: 2017-05-22 22:46:09 Commandline: aptdaemon role='role-upgrade-packages' sender=':1.122' Upgrade: krb5-locales:amd64 (1.15-1, 1.15-1ubuntu0.1), apport:amd64 (2.20.4-0ubuntu4, 2.20.4-0ubuntu4.1), python3-apport:amd64 (2.20.4-0ubuntu4, 2.20.4-0ubuntu4.1), apport-gtk:amd64 (2.20.4-0ubuntu4, 2.20.4-0ubuntu4.1), unattended-upgrades:amd64 (0.93.1ubuntu2.1, 0.93.1ubuntu2.2), python3-problem-report:amd64 (2.20.4-0ubuntu4, 2.20.4-0ubuntu4.1) Error: Sub-process /usr/bin/dpkg exited unexpectedly End-Date: 2017-05-22 22:46:10 Can you check in the terminal log in /var/log/apt for that date to see what happened? Maybe a full disk? ** Changed in: krb5 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1693288 Title: package krb5-locales 1.15-1 failed to install/upgrade: El paquete está en un estado grave de inconsistencia - debe reinstalarlo antes de intentar su configuración. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1693288/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1687449] Re: package samba 2:4.5.8+dfsg-0ubuntu0.17.04.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
*** This bug is a duplicate of bug 1610361 *** https://bugs.launchpad.net/bugs/1610361 ** This bug has been marked a duplicate of bug 1610361 /usr/bin/deb-systemd-helper: error: systemctl preset failed on samba-ad-dc.service: No such file or directory -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1687449 Title: package samba 2:4.5.8+dfsg-0ubuntu0.17.04.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1687449/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1610361] Re: /usr/bin/deb-systemd-helper: error: systemctl preset failed on samba-ad-dc.service: No such file or directory
I tried several combinations of fresh installs and upgrades. The "error" is always there, but doesn't translate to an exit status different than zero. In fact, debian and artful (synced from debian) now workaround the error by basically asking the admin to ignore it (https://anonscm.debian.org/cgit/pkg- samba/samba.git/commit/?id=61eaeba2a7a2df61b681b4ea545811569de421d0). I then tried release upgrades: - yakkety -> zesty - xenial -> yakkety -> zesty In both cases I used a working samba setup (tested with smbclient //SERVER/homes -U ubuntu%ubuntu), and it all went fine. There were no errors reported by do-release-upgrade or apt/dpkg, despite the deb- systemd-helper complaint being on the screen and logs. It just wasn't fatal. In fact, all deb-systemd-helper calls in postinst have this "suffix": || true I also tried with systems where I disabled updates and security and installed the version that came out in main, and then upgraded, and that also worked. Either the package that had the problem is no longer available (could have been an upgrade that was superseeded), or I'm not hitting the exact same conditions for some reason. Maybe debhelper started adding the "|| true" to the end of deb-systemd-helper calls is what "fixed" this for now. Therefore, I'm marking this bug as incomplete pending further details. If this still happens to any of you, do please chime in and let's get it fixed. ** Changed in: samba (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1610361 Title: /usr/bin/deb-systemd-helper: error: systemctl preset failed on samba- ad-dc.service: No such file or directory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1610361/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1573181] Re: Samba crashes wit "signal 11" error
@sombrafam, can you attach your smb.conf and the core file(s) from /var/log/samba/cores/smbd please? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1573181 Title: Samba crashes wit "signal 11" error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1573181/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1573181] Re: Samba crashes wit "signal 11" error
Actually, ignore that. Could you please file a new bug instead with that info? You can use "apport-bug samba" IIRC. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1573181 Title: Samba crashes wit "signal 11" error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1573181/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1690684] Re: samba panic
> Now when I reboot I get the panic email. Is it always a new email about a new panic, or could it be that you are getting the same email over and over? Just checking. > Would you like the config file? yes, and the logs from /var/log/samba/ and any core files you might have in there. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1690684 Title: samba panic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1690684/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1693288] Re: package krb5-locales 1.15-1 failed to install/upgrade: El paquete está en un estado grave de inconsistencia - debe reinstalarlo antes de intentar su configuración.
Sorry, what you pasted doesn't contain entries for 2017-05-22, just 2017-05-18. Aren't there other files in /var/log/apt? Look for term.log* We need one of those that has entries for 2017-05-22. It will probably say something like "Log started: 2017-05-22 22:46:09" or close to that time. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1693288 Title: package krb5-locales 1.15-1 failed to install/upgrade: El paquete está en un estado grave de inconsistencia - debe reinstalarlo antes de intentar su configuración. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1693288/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1693288] Re: package krb5-locales 1.15-1 failed to install/upgrade: El paquete está en un estado grave de inconsistencia - debe reinstalarlo antes de intentar su configuración.
We can't know for sure what happened then. I suspect a full disk, as you said you said in comment #3 that you had just 130MB available. I suggest for you now to run "sudo apt -f install" -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1693288 Title: package krb5-locales 1.15-1 failed to install/upgrade: El paquete está en un estado grave de inconsistencia - debe reinstalarlo antes de intentar su configuración. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1693288/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
