[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

Just tested the proposed version on two armhf systems. Both server and
client mode now negotiate to tls1.3 if applicable. The other qt
applications do still work. Of corse the test application in this thread
also works (outputs 15)

Package: libqt5network5
Version: 5.15.3+dfsg-2ubuntu0.2
Package: libssl3
Version: 3.0.2-0ubuntu1.6

So far I don't have any issues (also on amd64 I saw no regression, but
as already noted in the binary there should be no difference on amd64
since sizeof(long) == sizeof(unint64_t) == sizeof(qossloptions))

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

looking at the regression log, I see that it fails to launch jackd (exec of 
JACK server (command = "/usr/bin/jackd") failed: No such file or directory). 
Other platforms (amd64) do not have that log output.
I suspect this is because drumkv1_jack was not started yet (and so the test is 
flaky). Essentially I do not see a connection between this change and this 
package failing. /usr/bin/drumkv1_jack does not even link to libQt5Network.so.5

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

I have a version with the last attached patch in my ppa. This version works for 
me.
Is there a change we get a SRU for this? Who would make that request?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

This is my suggested backport of the upstream patch.

since, as you might know, the file locations changed a bit, lso the file
defining the new datatype moved from qsslsocket_openssl_symbols_p.h to
qsslsocket_openssl_p.h since it is required there (setupOpenSslOptions
is defined there, but qsslsocket_openssl.cpp, which includes
qsslsocket_openssl_p.h includes qsslsocket_openssl_symbols_p.h too late;
this is done differently in qt6 where setupOpenSslOptions is in
qsslcontext_openssl.cpp)

** Patch added: "openssl_set_options.diff"
   
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+attachment/5607054/+files/openssl_set_options.diff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

@mitya57 the patch is now submitted to codereview. I am however only
able to submit to the dev branch (took me a while to get this, never
used gerrit before). This also means that the patch I submitted is for
qt6. There is no way i send a codereview for qt5 anymore, so I don't
know who will do the backport if the qt6 patch gets merged.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

just a side node on the findings while hunting down this issue in gdb:

on armhf I think the calling convention is that integers are passed on
registers. uint64 is not a (32bit) integer and since the value passed to
SSL_CTX_set_options was not related in any way to the value passed in
q_SSL_CTX_set_options I think uint64_t are expected to be on the stack.
I cannot tell what value is in that place/where it came from, but it
ALWAYS had bit29 set. Bit29 means disable tls1.3.

I don't know if i686 has a similar calling convention, but if not and
i686 being a little endian architecture, that systems are not affected
by this (probably the most important platform being 32bit windows)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

https://bugreports.qt.io/browse/QTBUG-105041

this however has priority low.
additionally openssl1.1 and openssl3 are not compatible in this case if libssl 
is loaded in runtime

for 32bit this is only solvable if compiletime forces openssl version to
3 OR 1.1, but then the corresponding version MUST be loaded or someone
implements a version check in runtime. Using the q_SSL_CTX_set_options
funcion will not work in this case since the symbol is not unique

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

actually the first patch was missing something and did not compile

** Patch added: "openssl3_set_options.diff"
   
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+attachment/5603782/+files/openssl3_set_options.diff

** Patch removed: "openssl3_set_options.patch"
   
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+attachment/5603721/+files/openssl3_set_options.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

this should fix the issue

this however requires openssl3.0, but that should be ok for ubuntu going
forward

** Patch added: "openssl3_set_options.patch"
   
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+attachment/5603721/+files/openssl3_set_options.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1981807] Re: qt5-network openssl3 armhf does not support tls1.3

[msaxl]

i think I have a trace where the issue is:
openssl3 openssl's options is a uint64_t, but in qsslsocket_openssl.cpp the 
method is  defined as 
long QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, 
QSsl::SslOptions sslOptions)

long on 64bit platforms is 64 bit long, but on armhf (32bit) it is
32bit.

see
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
vs
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_options.html

is this already fixed in qt6? the qt5.15 openssl3 is a ubuntu backport,
right?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1981807

Title:
  qt5-network openssl3 armhf does not support tls1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1981807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951832] Re: xl2tpd "Can not find tunnel" in jammy

[msaxl]

i can confirm that the package in -proposed (1.3.16-1ubuntu0.1) does
work like expected

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951832

Title:
  xl2tpd "Can not find tunnel" in jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lto-disabled-list/+bug/1951832/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

I can confirm that 1.6.1+dfsg1-3ubuntu2 fixes the gateway issue

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

remmina will probably have a tls security level switch in the future.

https://gitlab.com/Remmina/Remmina/-/commit/cf4d8f99ac258248b8e3f3a5314ae047a210a3e9

imo it would be cleaner to backport this instead of lowering the default 
security for everyone.
In the next ubuntu version I think the will be an updated remmina, so if we 
decide to lower the default level in 22.04 with a sru, we must not forget to 
drop that in kosmic.
The only other applications that uses libfreerdp directly I know of are 
libguac-client-rdp0 and krdc, but I think they will also adopt as soon as it 
will be obvious that such a setting is needed for a successful connection to 
older OSes

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

@omriasta are you sure you did not use /sec:rdp? 2.6.1+dfsg1-3ubuntu1 does not 
contain the upstream patch and will 100% work over gateway if linked to 
openssl3 and using a tls based transport over rdp gateway (nla/ext/tls), but as 
said /sec:rdp always worked if the remote end allowed it
The version in my ppa is 2.6.1+dfsg1-3ubuntu1.2~gwfix, if you meant that one

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

I have built a version that includes my mentioned security level
workaround.

It's in ppa:saxl/freerdp2

With that this bug report should be addressed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

@blaze status 403 is quite strange, but afaik openssl1.1 is not in
jammy. If you still have it this is because it probably does not get
removed when updating.

I will try to make a package that fixes both rdp gateway and windows < 8.
It would be very useful if you (and probably others) would be able to test this

note however that the gateway part is now this bug report:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1970655

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970655] Re: ubuntu 22.04 fails connecting to a rdp server through a rdp gateway

[msaxl]

I've build a package that includes the fix mentioned above in
ppa:saxl/freerdp

if someone can test if it works

note however that a 2008r2 gateway probably fails with
ERRCONNECT_TLS_CONNECT_FAILED since openssl3.0 is not compatible with
2008r2 on tls seclevel 1 anymore (#1954970).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1970655

Title:
  ubuntu 22.04 fails connecting to a rdp server through a rdp gateway

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1970655/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1958600] Re: Can't connect to VPN

[msaxl]

*** This bug is a duplicate of bug 1951832 ***
https://bugs.launchpad.net/bugs/1951832

** This bug has been marked a duplicate of bug 1951832
   xl2tpd "Can not find tunnel" in jammy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1958600

Title:
  Can't connect to VPN

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1958600/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970068] Re: L2TP+IPSec not working after upgrade to 22.04 LTS

[msaxl]

*** This bug is a duplicate of bug 1951832 ***
https://bugs.launchpad.net/bugs/1951832

this is probably not a duplicate but this
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/961

#1951832 does talk about a issue with xl2tpd, looking at this log
output, the ppp session is established but is terminated afer 1.5
minutes. A lot of bytes where sent, but none was received. looks like
the ppp packet was routed inside the ppp tunnel (this is, according to
Douglas Kosovic, a regression in network manager)

** Bug watch added: 
gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues #961
   https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/961

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1970068

Title:
  L2TP+IPSec not working after upgrade to 22.04 LTS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1970068/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

ok, I created a bug report dedicated for the rdp gateway issue
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1970655

regarding the windows 6.1 tls issue (Windows 7 and Windows Server 2008
R2, probably also Vista and Server 2008) there is now an upstream report
here

https://github.com/FreeRDP/FreeRDP/issues/7839

but I think this one needs to be decided downstream if we want to
support Windows 7/2008R2 out of the box or, like in other places where
old tls versions where disabled, we want to drop support for that.

A possible workaround for the average user in that case (or also right
now) might be disabling nla on the windows 7 machine and using rdp
security instead of tls or nla.


** Bug watch added: freerdp-issues #7839
   https://github.com/FreeRDP/FreeRDP/issues/7839

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970655] [NEW] ubuntu 22.04 fails connecting to a rdp server through a rdp gateway

[msaxl]

Public bug reported:

There is a regression in freerdp if linked/compiled against openssl 3

This has been fixed upstream with

https://github.com/FreeRDP/FreeRDP/commit/9d7c20ce8fe50bd6de54e7480b5096761a510daf.patch

The upstream bug report was
https://github.com/FreeRDP/FreeRDP/issues/7797

This bug is a split of
https://bugs.launchpad.net/bugs/1954970
as actually it showed that the issues discussed there are distinct.

** Affects: freerdp2 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1970655

Title:
  ubuntu 22.04 fails connecting to a rdp server through a rdp gateway

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1970655/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

reading the first message actually it would be better splitting out the
gateway fix since this bug really talks about windows 2008r2. If you
agree I will make a new report about the backport of the gateway fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

The relevant change is SHA1 in openssl3
https://github.com/openssl/openssl/commit/aba03ae571ea677fc484daef00a21ca8f7e82708
SHA1 is, contrary to what someone would expect given that the documentation 
says:

Level 4

Security level set to 192 bits of security. As a result RSA, DSA and
DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are
prohibited.  Cipher suites using SHA1 for the MAC are prohibited. TLS
versions below 1.2 are not permitted.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

I just discovered that a direct tls connection to a windows 7 (=2008r2) rdp 
server indeed fails with 
ERRCONNECT_TLS_CONNECT_FAILED

the error is that there is no cipher match (this probably happens also
with a 2008r2 based rdp gateway server, but that someone would need to
check)

this however can be workarounded by /tls-seclevel:0

If this resolves your issue I would suggest making this the default for
freerdp. If someone from the Ubuntu team is willing to integrate such a
thing I would make a downstream patch for that too..

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

again: a debug log output would be very useful.
With a gateway there are actually two TLS handshakes. It would be useful what 
handshake fails.

What version of RD Gateway are you using? If it is a 2008/2008R2 based
one, is that even openssl3 compatible? (I checked that TLS1.0 is enabled
on the https tls handshake, but I don't know if a required cipher match
is there since I don't have a such old server available)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

> I've been testing this patch and it didn't help in my case

what would probably be useful in this thread if someone would post the
output of ex.

xfreerdp /v:  /log-level:debug

I know we are talk about remmina here, but it would be very strange if
xfreerdp works and remmina doesn't.

For me before applying this patch the relevant last lines where

[DEBUG][com.freerdp.core.nego] - nego_security_connect with PROTOCOL_HYBRID
[ERROR][com.freerdp.core] - rdg_process_close_packet:freerdp_set_last_error_ex 
E_PROXY_INTERNALERROR [0x800759D8]
[com.freerdp.core.nego] - Failed to connect with NLA security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

https://github.com/FreeRDP/FreeRDP/pull/7822 addresses a gateway issue
only, so if you don't use a gateway this will not fix anything for you.

I just compiled the latest ubuntu 2.6.1 version with this patch applied
and for me now gateway connections work

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951832] Re: xl2tpd "Can not find tunnel" in jammy

[msaxl]

I agree with adrian-wilkins. Even though xl2tpd is in "universe", not
"main", this should have been noticed since contrary to other software
this does 100% not work

Hope it gets better until the first point release is out since if a ubuntu user 
gets updated to 22.04 he/she will not only notice this issue (for example 
remote desktop over gateway is currently also broken)
if I had to choose I would try making 22.10 a lts release and revert 22.04's 
lts state. There is simply too much trouble with openssl3 and lto enablement

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951832

Title:
  xl2tpd "Can not find tunnel" in jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1954970] Re: remmina "Cannot connect to the RDP server ... via TLS. Check that the client and server support a common TLS version"

[msaxl]

it is now fixed upstream and in stable-2.0
https://github.com/FreeRDP/FreeRDP/pull/7823
https://github.com/FreeRDP/FreeRDP/pull/7822

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1954970

Title:
  remmina "Cannot connect to the RDP server ... via TLS. Check that the
  client and server support a common TLS version"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp2/+bug/1954970/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951832] Re: xl2tpd "Can not find tunnel" in jammy

[msaxl]

Now I've replaced xl2tpd in my ppa with a working lto-enabled 1.3.16
version.

This is the patch I used to create a working version

** Patch added: "lto-fix-bug-1968336.patch"
   
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832/+attachment/5582809/+files/lto-fix-bug-1968336.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951832

Title:
  xl2tpd "Can not find tunnel" in jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1968336] Re: xl2tpd fails to connect after upgrading to 22.04

[msaxl]

*** This bug is a duplicate of bug 1951832 ***
https://bugs.launchpad.net/bugs/1951832

** This bug has been marked a duplicate of bug 1951832
   xl2tpd "Can not find tunnel" in jammy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968336

Title:
  xl2tpd fails to connect after upgrading to 22.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1968336/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1968336] Re: xl2tpd fails to connect after upgrading to 22.04

[msaxl]

@iamfuss got it working with this patch.

The compiler seems to drop the function if compiled with lto.
Don't know if this is the issue of gcc or this specific function. That's why I 
don't try to upstreaming this patch. If someone understands better why this 
happens this person should do it instead

** Patch added: "lto-fix-bug-1968336.patch"
   
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1968336/+attachment/5582808/+files/lto-fix-bug-1968336.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968336

Title:
  xl2tpd fails to connect after upgrading to 22.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1968336/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951832] Re: xl2tpd "Can not find tunnel" in jammy

[msaxl]

There seems to be a duplicate:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1968336

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951832

Title:
  xl2tpd "Can not find tunnel" in jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1968195] Re: websocket transport is never enabled

[msaxl]

closed in tandem with #1968577. This was also backported to stable-2.0
branch

** Changed in: freerdp (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968195

Title:
  websocket transport is never enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp/+bug/1968195/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951832] Re: xl2tpd "Can not find tunnel" in jammy

[msaxl]

I tried around and it really seems to be that a default build works but
a debian version does not.

the reason is lto. in the meantime I made my ppa version of 1.3.17 that works. 
(ppa:saxl/ppa)
WARNING: this is on 1.3.17. If there will be a working 1.3.16 version then it 
will not be downgraded automatically!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951832

Title:
  xl2tpd "Can not find tunnel" in jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1968195] [NEW] websocket transport is never enabled

[msaxl]

Public bug reported:

freerdp supports an rdp gateway with websocket transport since 2.3.0.

There was however a backport bug that never enabled this feature since
the introduction to disable this feature (by /gt:auto,no-websockets)

the relevant stable push is https://github.com/FreeRDP/FreeRDP/pull/7786

Note that the upstream master branch had never this problem, so that
feature should be tested by many people.

** Affects: freerdp (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968195

Title:
  websocket transport is never enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp/+bug/1968195/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1964441] [NEW] libwbxml < 0.11.8 issue with libexpat1 CVE-2022-25236 fix

[msaxl]

Public bug reported:

see https://github.com/libwbxml/libwbxml/releases/tag/libwbxml-0.11.8

ubuntu jammy should upgrade to 0.11.8 from 0.11.7

older versions of ubuntu should backport
https://github.com/libwbxml/libwbxml/pull/78

This issue breaks for example sogo activesync (included first on jammy)

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1964441

Title:
  libwbxml < 0.11.8 issue with libexpat1 CVE-2022-25236 fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1964441/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947404] Re: glibc 2.34 32bit armhf segfaults with ping ::1 (recvmsg)

[msaxl]

since jammy now is on 2.35, it is fixed there.


** Summary changed:

- glibc 2.34 impish/jammy 32bit armhf segfaults with ping ::1 (recvmsg)
+ glibc 2.34 32bit armhf segfaults with ping ::1 (recvmsg)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947404

Title:
  glibc 2.34 32bit armhf segfaults with ping ::1 (recvmsg)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1947404/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947404] Re: glibc 2.34 impish/jammy 32bit armhf segfaults with ping ::1 (recvmsg)

[msaxl]

it seems to be fixed in 2.35

The relevant diffs are:
https://sourceware.org/git/?p=glibc.git;a=commit;h=8fba672472ae0055387e9315fc2eddfa6775ca79
https://sourceware.org/git/?p=glibc.git;a=commit;h=798d716df71fb23dc89d1d5dba1fc26a1b5c0024

I will try to build it for impish,
but glibc is currently not buildable on jammy itself (and by the way i386 does 
not build on amd's cpus, only intel), but that is not a user problem..

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947404

Title:
  glibc 2.34 impish/jammy 32bit armhf segfaults with ping ::1 (recvmsg)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1947404/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947404] Re: glibc 2.34 impish/jammy 32bit armhf segfaults with ping ::1 (recvmsg)

[msaxl]

** Summary changed:

- glibc 2.34 impish 32bit armhf segfaults with ping ::1 (recvmsg)
+ glibc 2.34 impish/jammy 32bit armhf segfaults with ping ::1 (recvmsg)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947404

Title:
  glibc 2.34 impish/jammy 32bit armhf segfaults with ping ::1 (recvmsg)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1947404/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1960258] [NEW] card/caldav compatibility limited due to gnustep 1.28 change in ubuntu jammy

[msaxl]

Public bug reported:

There is a regressin in string encoding in sogo/gnustep.
See
https://github.com/gnustep/libs-base/issues/212
https://www.sogo.nu/bugs/view.php?id=5416

since this is not likely to be solved in sogo I would suggest:
revert 
https://github.com/gnustep/libs-base/commit/bd5f2909e6edc8012a0a6e44ea1402dfbe1353a4.patch
 or
remove sogo from ubuntu.

I think delivering a broken (LTS) product is worse than not delivering.

** Affects: sogo (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

  There is a regressin in string encoding in sogo/gnustep.
  See
  https://github.com/gnustep/libs-base/issues/212
  https://www.sogo.nu/bugs/view.php?id=5416
  
  since this is not likely to be solved in sogo I would suggest:
- revert 
https://github.com/gnustep/libs-base/commit/bd5f2909e6edc8012a0a6e44ea1402dfbe1353a4.patch
+ revert 
https://github.com/gnustep/libs-base/commit/bd5f2909e6edc8012a0a6e44ea1402dfbe1353a4.patch
 or
  remove sogo from ubuntu.
  
  I think delivering a broken (LTS) product is worse than not delivering.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1960258

Title:
  card/caldav compatibility limited due to gnustep 1.28 change in ubuntu
  jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sogo/+bug/1960258/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947404] [NEW] glibc 2.34 impish 32bit armhf segfaults with ping ::1 (recvmsg)

[msaxl]

Public bug reported:

see
https://sourceware.org/bugzilla/show_bug.cgi?id=28350

in short the 32 to 64 bit timestamp emulation messes up the cmsg of the
received packet (half-overwrites a cmsg struct instead of appending it)

** Affects: glibc (Ubuntu)
 Importance: Undecided
 Status: New

** Summary changed:

- giblc 2.35 impish 32bit armhf glibc segfaults with ping ::1 (recvmsg)
+ giblc 2.34 impish 32bit armhf glibc segfaults with ping ::1 (recvmsg)

** Summary changed:

- giblc 2.34 impish 32bit armhf glibc segfaults with ping ::1 (recvmsg)
+ glibc 2.34 impish 32bit armhf glibc segfaults with ping ::1 (recvmsg)

** Summary changed:

- glibc 2.34 impish 32bit armhf glibc segfaults with ping ::1 (recvmsg)
+ glibc 2.34 impish 32bit armhf segfaults with ping ::1 (recvmsg)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947404

Title:
  glibc 2.34 impish 32bit armhf segfaults with ping ::1 (recvmsg)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1947404/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1861316] [NEW] ubuntu 20.04: libnss-winbind:386 should remain

[msaxl]

Public bug reported:

Ubuntu 20.04 limits the available i386 packages.
There are some applications and its dependencies that are kept in i386.

I think libnss libraries/plugins should be available in both archs since
having them only on one arch might be confusing (ex. in wine the
%USERNAME% variable could be uid or the username)

since essentially libnss-winbind is compiled only the package is not
assembled I think the work maintaining this package is quite low
(libwbclient0:i386 already is available)

https://discourse.ubuntu.com/t/community-process-for-32-bit-
compatibility/12598/57

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861316

Title:
  ubuntu 20.04: libnss-winbind:386 should remain

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1861316/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1860906] [NEW] armhf: MailPartViewers: undefined symbol: OPENSSL_init_ssl

[msaxl]

Public bug reported:

On at least armhf and the upcoming focal fossa version of sogo (4.1.1) I
get the following error in sogo.log

Error (objc-load):/usr/lib/GNUstep/SOGo/MailPartViewers.SOGo/MailPartViewers: 
undefined symbol: OPENSSL_init_ssl
Error (objc-load):/usr/lib/GNUstep/SOGo/MailerUI.SOGo/MailerUI: undefined 
symbol: __objc_class_name_UIxMailSizeFormatter

Openssl is of course installed. ldd
/usr/lib/GNUstep/SOGo/MailPartViewers.SOGo/MailPartViewers does not list
libssl.so, so I think this is a link issue.

Putting LD_PRELOAD=/usr/lib/arm-linux-gnueabihf/libssl.so.1.1 in
/etc/default/sogo fixes the problem in the mean time

** Affects: sogo (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1860906

Title:
  armhf: MailPartViewers: undefined symbol: OPENSSL_init_ssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sogo/+bug/1860906/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1851199] [NEW] tmate broken in ubuntu 19.10

[msaxl]

Public bug reported:

the tmate build of ubuntu 19.10 ist broken.

when launching tmate it immediatly quits with the only message [lost
server]. The terminal is in a broken state (ex echo off)

since both tmate and libmsgpackc2 come from ubuntu:

libmsgpackc2:
  Installed: 3.0.1-3
  Candidate: 3.0.1-3
  Version table:
 *** 3.0.1-3 500
500 http://de.archive.ubuntu.com/ubuntu eoan/universe amd64 Packages
100 /var/lib/dpkg/status

tmate:
  Installed: 2.2.1-1build3
  Candidate: 2.2.1-1build3
  Version table:
 *** 2.2.1-1build3 500
500 http://de.archive.ubuntu.com/ubuntu eoan/universe amd64 Packages
100 /var/lib/dpkg/status

it means somehow the build is broken or tmate and libmsgpackc2 are
incompatible

** Affects: ubuntu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851199

Title:
  tmate broken in ubuntu 19.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1851199/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1820846] Re: bind_dlz zone update broken in samba 4.10

[msaxl]

Wow, I did not expect to enter this in time for ubuntu 19.04 being so
close to beta freeze.

Thank you very much for your fast inclusion given that I am the only one
who complained about this bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820846

Title:
  bind_dlz zone update broken in samba 4.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1820846/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1820846] Re: bind_dlz zone update broken in samba 4.10

[msaxl]

there seem to be some issues with lists.samba.org (or my mail server and
lists.samba.org, port 25 says connection refused)

regardless of this, since 4.10.0 is already released today and it is
questionable if it will be accepted upstream in time for ubuntu 19.04
release or samba 4.10.1 release, I built a samba version with the
mentioned patch in my ppa so that I can upgrade my other servers to
19.04 when it gets released.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820846

Title:
  bind_dlz zone update broken in samba 4.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1820846/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1820846] Re: bind_dlz zone update broken in samba 4.10

[msaxl]

Now I sent it to samba-technical@ using git send-email.

Hope this is how it is expected to be done. This is the first time I use
this method...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820846

Title:
  bind_dlz zone update broken in samba 4.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1820846/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1820846] [NEW] bind_dlz zone update broken in samba 4.10

[msaxl]

Public bug reported:

I discovered that dynamic updates did not work anymore after updating
samba to 4.10 (rc4).

I tracked down the reason and submitted a patch to samba bugtracker, but
it did not make into the final release. Likewise it will not be fixed in
ubuntu disco if this patch is not included downstream

see

https://bugzilla.samba.org/show_bug.cgi?id=13841

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820846

Title:
  bind_dlz zone update broken in samba 4.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1820846/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1771276] Re: linux 4.15 currupts ipsec packets over non ethernet devices

[msaxl]

** Changed in: linux (Ubuntu Bionic)
   Status: Triaged => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771276

Title:
  linux 4.15 currupts ipsec packets over non ethernet devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1771276/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1771276] Re: linux 4.15 currupts ipsec packets over non ethernet devices

[msaxl]

upstream works

it was included upstream here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=87cdf3148b11d46382dbce2754ae7036aba96380

somehow they did non backport it to 4.15 (the only version that is
affected)


** Tags added: kernel-fixed-upstream

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771276

Title:
  linux 4.15 currupts ipsec packets over non ethernet devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1771276/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1771276] Re: linux 4.15 currupts ipsec packets over non ethernet devices

[msaxl]

There is no crash. All needed information is on 
https://wiki.strongswan.org/issues/2571 #6
The reason is explained https://wiki.strongswan.org/issues/2571 #17, so the 
issue is already resolved in 4.16, but since 4.15 is EOL and 4.14 did non have 
this issue and Ubuntu 18.04 is a LTS release you might consider applying 
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=87cdf3148b11

** Changed in: linux (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771276

Title:
  linux 4.15 currupts ipsec packets over non ethernet devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1771276/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1771276] [NEW] linux 4.15 currupts ipsec packets over non ethernet devices

[msaxl]

Public bug reported:

Linux 4.15 has a bug that currupts ipsec packets if they are received over a 
non ethernet interface.
This is a serve showstopper bug for me since it breaks my VPN setup and locks 
me out of my server.

see https://wiki.strongswan.org/issues/2571 and
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=87cdf3148b11

since 4.15 is already EOL, the only possibility is backporting the
linked patch

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771276

Title:
  linux 4.15 currupts ipsec packets over non ethernet devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1771276/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

Yes, it seems apt remove libnss-resolve would only remove that single
thing.

Well, I'm not the one that decides what gets recommended, but systemd
also has nss-mymachines that also uses dbus. Also that could be some day
be recommended by ex. systemd-nspawn :)

Again: Now I consider this bug as state: wontfix. It is however
important to know nss dbus backends and winbind don't work well. Let's
hope if someone suffers from a similar issue finds this and knows how to
resolve the probem.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

Yes, I think a version between 16.04 and 18.04 added this (Don't
remember what version).

If someone installs libnss-resolve it will modify nsswitch
automatically.

I think we can close this ticket since it does not apply to a default 
configuration.
Also I think /etc/hosts is not empty by default but still contains localhost 
and hostname.
Just keep in mind that myhostname would also allow removing localhost and 
hostname from /etc/hosts. I expect ubuntu to do that at some point in the 
future.
In that case installing libnss-resolve could make problems that are not easy to 
track.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

I've tested if my suggested workaround would work. see ppa:saxl/ppa.

It works :)

Summary: Default 18.04 installation should not be affected since
/etc/hosts contains an entry with the local hostname. If ubuntu removes
this line by default the default installation will break (afaik systemd-
resolved should replace every /etc/hosts since it also resolves
localhost).

Technical problem: winbindd process must not use dbus with uid!=0.

My workaround makes sure it will not happen (in this case, kerberos
method = system keytab will still deadlock). The impact of this patch
should be zero since on a correctly configured system only uid==0 will
be able to use /etc/krb5.keytab so this workaround skips the step
loading the system keytab and failing doing so.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

i guess I found the problem.

winbindd somewhere does change its uid to the target uid to create the users 
kerberos cache.
If keytab method contains system keytab (it does in my configuration), in 
gse_krb5.c fill_mem_keytab_from_system_keytab there is a call to name_to_fqdn. 
This function uses getaddrinfo to get the machines fqdn. This in turn connects 
to system dbus (not as uid 0!). system dbus has not cached this uid's 
"credentials" (there seems to be a hash table, see dbus-userdb.c line 148), so 
it uses nsswitch configuration to get it. system dbus now connects to winbind. 
But winbind seems to be blocking in this case (and system dbus now is blocked 
to).
As soon as pam_winbind times out, the deadlock is broken, the needed 
information is returned to system dbus, the info is put into the hashtable, 
dbus is not blocked anymore.

The second time the info is in dbus's hashtable, so the deadlock does
not happen (this also explains why the second time I get the systems
fqdn but not the first time).

Keep in mind that this means calling getaddrinfo in winbind is only save
as uid 0, but I suggest the following (maybe better to be discussed
upstream):

insert a if(getuid()==0){ .. } around line 597 and 602 in gee_krb5.c
(https://git.samba.org/?p=samba.git;a=blob;f=source3/librpc/crypto/gse_krb5.c;h=4dd39eaf08d8f492b6b332cfb5b2f30e4c1ab575;hb=4dd39eaf08d8f492b6b332cfb5b2f30e4c1ab575#l597)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

Some testresults:
resolv.conf dns server*, nsswitch setting, hosts contains 127.0.1.1 entry, 
result
-
127.0.0.53 , file resolve dns, no, fails
127.0.1.1  , file resolve dns, no, fails
127.0.0.53 , file dns, no, works
127.0.1.1  , file dns, no, works
127.0.0.53 , file resolve dns, yes   , works
127.0.1.1  , file resolve dns, yes   , works

* if 127.0.0.53, symlink to /lib/systemd/resolve.conf is in use

Conclusion: the problem is in nss_resolve

since nss_resolve should use dbus, I checked with dbus-monitor --system what is 
sent.
If you are able to reproduce this problem: To me it seems that the request is 
sent after the timeout already happened. Also while the login attempt is 
running, systemd-resolve is not working. Do you know a situation dbus-daemon is 
blocking?. If this proves true, what could cause this?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

Some additions:

I discovered that if I do not symlink /etc/resolv.conf -> 
/lib/systemd/resolv.conf but /etc/resolvconf/resolv.conf
and add
dns=dnsmasq
rc-manager=resolvconf

in /etc/NetworkManager/NetworkManager.conf,

the problem is gone.

Additionally I re-added the 127.0.1.1 entry in /etc/hosts (should not be
required with systemd-resolved).

This entry is the source of the problem: if it is missing, getaddrinfo
in source3/lib/util.c should get the domain name from systemd-resolve
(hostname -f does, getent hosts  also), but on the first call
after reboot it does not return the fqdn but only the hostname. Very
strange.. I will look if I find something in systemd-resolve, maybe
there is a regression

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

Requested logs.
The failed first authentication is on Apr 21 11:05:28, immediatly after the 
second attempt succeeds.

Before I logged in with the domain account I checked that networking of the 
machine worked:
wbinfo -P and wbinfo -p both showed online, wbinfo -u displayed every user.

The DC is a Ubuntu 16.04 samba active directory. In a similar setup
where I have the same problem I use a "18.04" ubuntu samba dc, but lets
stay with this machine since I can reproduce the problem very reliably
and the machine reboots quickly.

/etc/nsswitch has the following setup:
passwd: compat winbind systemd
group:  compat winbind systemd
shadow: compat
gshadow:files

hosts:  files resolve dns mdns_minimal
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files

netgroup:   nis


** Attachment added: "logs.tar.xz"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+attachment/5124840/+files/logs.tar.xz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

The content is:

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

/etc/netplan/ contains 01-network-manager-all.yaml, if I remove it I get no 
network connection.
This systems seems to be already migrated to netplan.

/etc/network/interfaces.d/ is empty, /etc/network/interfaces contains
only the default lo interface.

smb.conf:
[global]
workgroup = JDW
realm = JDW.CONET
security = ads
idmap config * : backend = tdb
idmap config * : range = 100-199
idmap config JDW : backend = rid
idmap config JDW : range = 126690-20
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind request timeout = 3
kerberos method = secrets and keytab

   
#winbind rpc only = yes 

   
client signing = yes

   
client use spnego = yes 

   
store dos attributes = yes  

   
ea support = yes

** Attachment added: "logfiles"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+attachment/5123369/+files/sambalog.tar.xz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] Re: winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

1) Yes, it is a desktop system, but not a wireless system, so network is 
available (NetworkManager).
I've checked that with ssh-ing into this machine with a local account. Both 
wbinfo -p and wbinfo -P showed everything is online. But also in this case the 
first domain login failes.

2) It is a upgrade installation (without netplan)

3) Quick question: is there a documentation how to manually migrate to
netplan in a desktop system?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1764853] [NEW] winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

[msaxl]

Public bug reported:

The following issue exists only on Ubuntu 18.04

I've upgraded ubuntu from 17.10 and noticed that winbind does not work well.
90% of the time I reboot my system I'm getting PAM_AUTHINFO_UNAVAIL when trying 
to log in with a domain account.
clicking login again on the login screen most of the time succeeds (so the 
password is correct)

I've checked if it works if I wait 10 minutes before logging in, no success, so 
it is not a timing issue.
Also I've checked if winbind is working (log in with ssh using a local account)
getent passwd xy and wbinfo -K user%pwd both work always.

Now my workaround is putting
winbind request timeout = 3
in smb.conf, since the PAM_AUTHINFO_UNAVAIL is returned about 60sec after 
trying to login. This workaround solves nothing, it only makes logging in 
faster. (But now it fails mostly two times, but waiting 6 seconds is better 
than 60)

To me it seems like deadlock, but I was unable to track it since it
happens only on the first login. Then I would have to reboot (restarting
winbind does not trigger it twice, also removing all caches in
/run/samba does not trigger it twice)

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1764853

Title:
  winbind returns PAM_AUTHINFO_UNAVAIL on first login after reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1764853/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1752670] [NEW] ppp 2.4.7-2+1ubuntu1 bionic mschap broken

[msaxl]

Public bug reported:

pppd 2.4.7-2+1ubuntu1 breaks vpn connections to Windows and Mikrotik Servers.
It seams only mschap is broken.
manually compiling https://github.com/paulusmack/ppp/ fixes it, so the problem
seams to be downstream.

Removing replace-vendored-hash-functions.patch seams to fix the problem

** Affects: ppp (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1752670

Title:
  ppp 2.4.7-2+1ubuntu1 bionic mschap broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ppp/+bug/1752670/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1713226] Re: systemd-networkd messes up networking

[msaxl]

The example 2 in my first posting is not an bug since the package
contains /lib/systemd/network/80-container-host0.network. As I wrote
this only affects systemd-nspawn containers

the unexpected "thing" is that when you upgrade you do not expect a
system wide configuration that is active in parallel to the "old"
ifupdown configuration. To keep your old configuration someone can for
example touch /etc/systemd/network/80-container-host0.network

I have no idea how to deal with that "problem", but I think that not
many have such configurations and less do a container upgrade instead of
a clean update. With luck the rest will be directed here by google ;)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1713226

Title:
  systemd-networkd messes up networking

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1713226/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1713226] Re: systemd-networkd messes up networking

[msaxl]

Here are the files of the networkmanager systemd-networkd conflict (I
already removed ifupdown, the problem is the same, so we say for sure
networkmanager or systemd-networkd causes the problem)

the output of ip a is the following:

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth1:  mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
link/ether 00:1d:7d:c3:a3:a1 brd ff:ff:ff:ff:ff:ff
inet6 fd12:2017:8387:0:8d6:b5ff:bf63:6389/64 scope global mngtmpaddr 
noprefixroute dynamic 
   valid_lft 86396sec preferred_lft 14396sec
inet6 fd12:2017:8387:0:21d:7dff:fec3:a3a1/64 scope global mngtmpaddr 
noprefixroute dynamic 
   valid_lft 86304sec preferred_lft 14304sec
inet6 fe80::21d:7dff:fec3:a3a1/64 scope link

   
   valid_lft forever preferred_lft forever

the profile that should come up has addr-gen-mode=stable-privacy, so
somehow it adds another ipv6 address, but it totally ignores ipv4...

** Attachment added: "files.tar.xz"
   
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1713226/+attachment/4941430/+files/files.tar.xz

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1713226

Title:
  systemd-networkd messes up networking

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1713226/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1713226] Re: systemd-networkd messes up networking

[msaxl]

this was a upgrade so the ifupdown problem should not happen with clean 
installs.
How is the migration planned?

If for example one will do a upgrade from 16.04 to the next 18.04 such
problems are a clear show stopper since breaking the network for most
servers will mean needing physical access.

On my system there is nothing that puts the interface to state up, so I blame 
systemd-networkd being it (normal desktop system, so /etc/network/interfaces 
contains only a lo entry).
But after all I consider having two systems that configure the same set of 
network interfaces will never work reliable.
I think the best would be systemd-networkd.service conflicts 
network-manager.service

What is the pro of enabling systemd-networkd on desktop systems? I see
advantages on server systems over ifupdown, but afaik neither gnome nor
plasma has systemd-networkd integration.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1713226

Title:
  systemd-networkd messes up networking

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1713226/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1713226] [NEW] systemd-networkd messes up networking

[msaxl]

Public bug reported:

Since systemd-234-2ubuntu8 systemd-networkd is enabled by default.

This causes problems existing configurations
ex1: if the network has ipv6 enables (the host recieves a router 
advertisement), networkmanager does not configure the network anymore so you 
get only ipv6 and no ipv4 connections (since systemd-networkd seems to bring 
only the link up)

ex2: if you use systemd-nspawn and configured static ip addresses in
/etc/network/interfaces, systemd-networkd adds a dhcp obtained address
on the host0 adapter and a 169.254 address

For the average user both is not expected, so my solution was systemctl
disable systemd-networkd, but since you seem to insist having this
enabled, it must be made sure systemd-networkd does not touch existing
configurations.

My suggestion is:
1) if /etc/network/interfaces contains anything other than lo -> do not enable 
systemd-networkd
2) if network-manager is enabled, systemd-networkd must be disabled and vice 
versa

** Affects: systemd (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: artful

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1713226

Title:
  systemd-networkd messes up networking

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1713226/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1672162] [NEW] pam_winbind broken missing symbols

[msaxl]

Public bug reported:

Ubuntu zesty samba 4.5.4 installs a pam_winbind version that has missing
symbols, for example

wbcCtxFree

since arch linux does not have this bug I checked what is different
there:

The breaking patch is fix-1584485.patch

If I remove this one it works again (of course technically now
pam_winbind is dependend on libwbclient and not static anymore)

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672162

Title:
  pam_winbind broken missing symbols

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1672162/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1625940] Re: CIFS client: access problems after updating to kernel 4.4.0-38-generic

[msaxl]

*** This bug is a duplicate of bug 1626112 ***
https://bugs.launchpad.net/bugs/1626112

the fix of bug #1626112 does not resolve this problem
automount gets the wrong UID, so it does not work

if I mount manually with the correct uid= parameter it works as expected (also 
with the other kernels where bug 1626112 was present)
There is no DFS so i guess this bug has nothing to do with bug 1626112

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1625940

Title:
   CIFS client: access problems after updating to kernel
  4.4.0-38-generic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1625940/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1625940] [NEW] CIFS client: access problems after updating to kernel 4.4.0-38-generic

[msaxl]

Public bug reported:

Since updating to kernel 4.4.0-38 on ubuntu xenial I cannot access
automount shares anymore

it seems that automount since this update resolves $UID always to 0
instead of the requesting users uid. reverting to the older kernel
resolves this.

-fstype=cifs,uid=\$UID,credentials=/etc/auto.master.d/cifs-
creds,cifsacl,nounix

I guess this is a regression of bug fix #1612135, - fs: Call d_automount
with the filesystems creds

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1625940

Title:
   CIFS client: access problems after updating to kernel
  4.4.0-38-generic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1625940/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1574507] [NEW] plasma-nm only sometimes show current transmit and recieve speed

[msaxl]

Public bug reported:

When expanding the plasma-nm applet only sometimes it shows the current
transmit and recieve speeds.

Usually when it gets expanded the first time it shows this information.
But if you open the network settings dialog (kde5-nm-connection-editor)
it always stopps working until you restart plasma

Some debugging revealed that PlasmaCore.DataSource probably has a bug when 
changing connectedSources to an empty array.
A workaround is changing the interval property to 0 if the data is not needed.

** Affects: plasma-nm (Ubuntu)
 Importance: Undecided
 Status: New

** Patch added: "showspeed_datasource_change_interval.diff"
   
https://bugs.launchpad.net/bugs/1574507/+attachment/4646231/+files/showspeed_datasource_change_interval.diff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1574507

Title:
  plasma-nm only sometimes show current transmit and recieve speed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/plasma-nm/+bug/1574507/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1388091] Re: winbindd does not provide geocs to libnss_winbind in ad configuration with winbind nss info = template (default)

[msaxl]

in samba 4.3.3 in ubuntu xenial the problem is resolved.

The upstream bug is/was https://bugzilla.samba.org/show_bug.cgi?id=10440
As you can see there the proper fix is quite big, maybe not the best idea to 
backport to 4.1,
but at least in the next lts version of ubuntu it should be fixed

** Bug watch added: Samba Bugzilla #10440
   https://bugzilla.samba.org/show_bug.cgi?id=10440

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1388091

Title:
  winbindd does not provide geocs to libnss_winbind in ad configuration
  with winbind nss info = template (default)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1388091/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1388091] Re: winbindd does not provide geocs to libnss_winbind in ad configuration with winbind nss info = template (default)

[msaxl]

in samba 4.3.3 in ubuntu xenial the problem is resolved.

The upstream bug is/was https://bugzilla.samba.org/show_bug.cgi?id=10440
As you can see there the proper fix is quite big, maybe not the best idea to 
backport to 4.1,
but at least in the next lts version of ubuntu it should be fixed

** Bug watch added: Samba Bugzilla #10440
   https://bugzilla.samba.org/show_bug.cgi?id=10440

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1388091

Title:
  winbindd does not provide geocs to libnss_winbind in ad configuration
  with winbind nss info = template (default)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1388091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1530929] [NEW] /usr/share/pam-configs/winbind should not include krb5_ccache_type or other options

[msaxl]

Public bug reported:

the template file winbind includes a lot of options that should be in
/etc/security/pam_winbind.conf.

Putting options in the template overwrites the option in 
/etc/security/pam_winbind.conf,
So, if you want for example to put the krb5cc outside of tmp, you have to 
modify the file in /usr/share/pam-configs/,
than call pam-auth-update.
Files in /usr should not be touched by users, so this is not a real solution. 
The correct place is /etc, in this case the configuration file 
/etc/security/pam_winbind.conf

The file in usr should be like:

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore]pam_winbind.so try_first_pass
Auth-Initial:
[success=end default=ignore]pam_winbind.so
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore]  pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore]pam_winbind.so use_authtok 
try_first_pass
Password-Initial:
[success=end default=ignore]pam_winbind.so
Session-Type: Additional
Session:
optionalpam_winbind.so


whereas the file in /etc/security/pam_winbind.conf should be like this to not 
change the effective configuration

[global]
krb5_auth=yes
krb5_ccache_type=FILE
cached_login=yes

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: libpam-winbind

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1530929

Title:
  /usr/share/pam-configs/winbind should not include krb5_ccache_type or
  other options

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1530929/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1530929] [NEW] /usr/share/pam-configs/winbind should not include krb5_ccache_type or other options

[msaxl]

Public bug reported:

the template file winbind includes a lot of options that should be in
/etc/security/pam_winbind.conf.

Putting options in the template overwrites the option in 
/etc/security/pam_winbind.conf,
So, if you want for example to put the krb5cc outside of tmp, you have to 
modify the file in /usr/share/pam-configs/,
than call pam-auth-update.
Files in /usr should not be touched by users, so this is not a real solution. 
The correct place is /etc, in this case the configuration file 
/etc/security/pam_winbind.conf

The file in usr should be like:

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
[success=end default=ignore]pam_winbind.so try_first_pass
Auth-Initial:
[success=end default=ignore]pam_winbind.so
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore]  pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore]pam_winbind.so use_authtok 
try_first_pass
Password-Initial:
[success=end default=ignore]pam_winbind.so
Session-Type: Additional
Session:
optionalpam_winbind.so


whereas the file in /etc/security/pam_winbind.conf should be like this to not 
change the effective configuration

[global]
krb5_auth=yes
krb5_ccache_type=FILE
cached_login=yes

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: libpam-winbind

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1530929

Title:
  /usr/share/pam-configs/winbind should not include krb5_ccache_type or
  other options

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1530929/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1475118] Re: It would be nice to get Samba 4.2 in Wily (4.1 in Maintenance mode for 6 more months. EOL by 10/2016)

[msaxl]

debian now has samba 4.2.1 in experimental. This should be a good
starting point

I've used samba 4.1 and now I am on 4.2 on arch (used as ad-server). 4.2
to me seems to be more stable (winbindd simply works better than the now
obsolete "source4" winbind; even on winbindd they made some
improvements), so I would be happy to see 4.2 in 5.10

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1475118

Title:
  It would be nice to get Samba 4.2 in Wily (4.1 in Maintenance mode for
  6 more months. EOL by 10/2016)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1475118/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1475118] Re: It would be nice to get Samba 4.2 in Wily (4.1 in Maintenance mode for 6 more months. EOL by 10/2016)

[msaxl]

debian now has samba 4.2.1 in experimental. This should be a good
starting point

I've used samba 4.1 and now I am on 4.2 on arch (used as ad-server). 4.2
to me seems to be more stable (winbindd simply works better than the now
obsolete "source4" winbind; even on winbindd they made some
improvements), so I would be happy to see 4.2 in 5.10

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1475118

Title:
  It would be nice to get Samba 4.2 in Wily (4.1 in Maintenance mode for
  6 more months. EOL by 10/2016)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1475118/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1355992] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

[msaxl]

patch applied in ubuntu package

** Changed in: samba (Ubuntu)
   Status: New = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1355992

Title:
   pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1355992/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1388091] [NEW] winbindd does not provide geocs to libnss_winbind in ad configuration with winbind nss info = template (default)

[msaxl]

Public bug reported:

affected with Ubuntu version 14.04.1 and 14.10.

If the user loggs in, he does not see his own full name (geocs).

it is also reporduceable by getent passwd $USER. usually there should be
a field containing the users full name.

if winbindd enumerates all users or winbind rpc only = yes is set, the full 
name is displayed.
In the first case only until the internal cache expires.

The reason is that nss info template simply does not provide this
information and resets this field, even if the values is known somewhere
else in the code path.

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

** Patch added: Give a hint to the nss info backend if we know the full name. 
not every backend implements fetching its value (ex. template)
   
https://bugs.launchpad.net/bugs/1388091/+attachment/4250029/+files/ads_full_name_hint_nss_template.patch

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1388091

Title:
  winbindd does not provide geocs to libnss_winbind in ad configuration
  with winbind nss info = template (default)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1388091/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1388091] Re: winbindd does not provide geocs to libnss_winbind in ad configuration with winbind nss info = template (default)

[msaxl]

A samba version containing this patch is built in my ppa ppa:saxl/ppa (for 
utopic)
There is also a version for trusty, but its also samba 4.1.11 backported from 
utopic

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1388091

Title:
  winbindd does not provide geocs to libnss_winbind in ad configuration
  with winbind nss info = template (default)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1388091/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1355992] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

[msaxl]

patch applied in ubuntu package

** Changed in: samba (Ubuntu)
   Status: New = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1355992

Title:
   pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1355992/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1388091] [NEW] winbindd does not provide geocs to libnss_winbind in ad configuration with winbind nss info = template (default)

[msaxl]

Public bug reported:

affected with Ubuntu version 14.04.1 and 14.10.

If the user loggs in, he does not see his own full name (geocs).

it is also reporduceable by getent passwd $USER. usually there should be
a field containing the users full name.

if winbindd enumerates all users or winbind rpc only = yes is set, the full 
name is displayed.
In the first case only until the internal cache expires.

The reason is that nss info template simply does not provide this
information and resets this field, even if the values is known somewhere
else in the code path.

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

** Patch added: Give a hint to the nss info backend if we know the full name. 
not every backend implements fetching its value (ex. template)
   
https://bugs.launchpad.net/bugs/1388091/+attachment/4250029/+files/ads_full_name_hint_nss_template.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1388091

Title:
  winbindd does not provide geocs to libnss_winbind in ad configuration
  with winbind nss info = template (default)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1388091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1388091] Re: winbindd does not provide geocs to libnss_winbind in ad configuration with winbind nss info = template (default)

[msaxl]

A samba version containing this patch is built in my ppa ppa:saxl/ppa (for 
utopic)
There is also a version for trusty, but its also samba 4.1.11 backported from 
utopic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1388091

Title:
  winbindd does not provide geocs to libnss_winbind in ad configuration
  with winbind nss info = template (default)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1388091/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1355992] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

[msaxl]

in 4.1.11+dfsg-1ubuntu2 the last patch on
https://bugzilla.samba.org/show_bug.cgi?id=10490 is applied.

** Bug watch added: Samba Bugzilla #10490
   https://bugzilla.samba.org/show_bug.cgi?id=10490

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1355992

Title:
   pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1355992/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1355992] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

[msaxl]

in 4.1.11+dfsg-1ubuntu2 the last patch on
https://bugzilla.samba.org/show_bug.cgi?id=10490 is applied.

** Bug watch added: Samba Bugzilla #10490
   https://bugzilla.samba.org/show_bug.cgi?id=10490

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1355992

Title:
   pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1355992/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

I have built a package some time ago with the new patch posted on 
bugs.samba.org for utopic
(https://launchpad.net/~saxl/+archive/ubuntu/ppa/+build/6263614),

The 4.1.11+dfsg-1ubuntu1saxl1 build works well on my site. The problem
is that I am also the bug reporter on bugs.samba.org, so maybe someone
else should try to test and maybe post a comment on bugs.samba.org.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1310919/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

I have built a package some time ago with the new patch posted on 
bugs.samba.org for utopic
(https://launchpad.net/~saxl/+archive/ubuntu/ppa/+build/6263614),

The 4.1.11+dfsg-1ubuntu1saxl1 build works well on my site. The problem
is that I am also the bug reporter on bugs.samba.org, so maybe someone
else should try to test and maybe post a comment on bugs.samba.org.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1310919/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

well, I have the same problem with 14.10,

to get a working samba 4.1.11 all you need to do is apply the patch in
this bugreport. It has been dropped when syncing with debian.

In my private ppa there is a working samba version for utopic.

As a longterm workaround I have changed from pam_winbind to pam_sss.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1310919/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

well, I have the same problem with 14.10,

to get a working samba 4.1.11 all you need to do is apply the patch in
this bugreport. It has been dropped when syncing with debian.

In my private ppa there is a working samba version for utopic.

As a longterm workaround I have changed from pam_winbind to pam_sss.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1310919/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1355992] [NEW] pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

[msaxl]

Public bug reported:

essentially the same as lp #1310919, since 4.1.11+dfsg-1ubuntu1 dropped
the patch krb5_kt_start_seq.diff that is not applied upstream yet

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1355992

Title:
   pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1355992/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1355992] [NEW] pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

[msaxl]

Public bug reported:

essentially the same as lp #1310919, since 4.1.11+dfsg-1ubuntu1 dropped
the patch krb5_kt_start_seq.diff that is not applied upstream yet

** Affects: samba (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1355992

Title:
   pam_winbind krb5_ccache_type=FILE stopped working after 14.10 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1355992/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1307778] Re: getent group on trusty returns only local groups

[msaxl]

The behavior of BUILTIN\ is not a bug but is intended like this. The
idmap_ad plugin is only used for the WORKGROUP domain. everything else
is up to idmap config * : range = 10-30. See man idmap_ad

If you try setting a gid to the groups in the AD, does this workaround
the problem? (to be sure the -1 are comming from the idmap_ad backend)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1307778

Title:
  getent group on trusty returns only local groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1307778/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1307778] Re: getent group on trusty returns only local groups

[msaxl]

The behavior of BUILTIN\ is not a bug but is intended like this. The
idmap_ad plugin is only used for the WORKGROUP domain. everything else
is up to idmap config * : range = 10-30. See man idmap_ad

If you try setting a gid to the groups in the AD, does this workaround
the problem? (to be sure the -1 are comming from the idmap_ad backend)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1307778

Title:
  getent group on trusty returns only local groups

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1307778/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

I can confirm that this fixes the bug for my installations (two
different domains on multiple 14.04 clients), everywhere using kerberos
method = secrets and keytab

and the keytab access set to root:root 600

just a side note: the bug is not in pam_winbind but in winbindd itself
(as you can read here: Apr 22 16:21:23 ben sshd[10932]:
pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR,
PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
NT_STATUS_CONNECTION_DISCONNECTED, Error message was: --
NT_STATUS_CONNECTION_DISCONNECTED --).

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1310919/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

I can confirm that this fixes the bug for my installations (two
different domains on multiple 14.04 clients), everywhere using kerberos
method = secrets and keytab

and the keytab access set to root:root 600

just a side note: the bug is not in pam_winbind but in winbindd itself
(as you can read here: Apr 22 16:21:23 ben sshd[10932]:
pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR,
PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
NT_STATUS_CONNECTION_DISCONNECTED, Error message was: --
NT_STATUS_CONNECTION_DISCONNECTED --).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1310919/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

I have looked at the source and found a potential problem. This patch
should fix it, but of corse needs some testing.


** Patch added: krb5_kt_start_seq.diff
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1310919/+attachment/4094414/+files/krb5_kt_start_seq.diff

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1310919/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

for those who are also affected by this bug: i've uploaded the a samba
package with this patch on my ppa (ppa:saxl/ppa). Building should start
shortly.

p.s.: I have opened a bugreport upstream
(https://bugzilla.samba.org/show_bug.cgi?id=10490), but since older
versions of samba did not have this problem, the root cause could also
be in the system kerberos implementation.

** Bug watch added: Samba Bugzilla #10490
   https://bugzilla.samba.org/show_bug.cgi?id=10490

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1310919/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1310919] Re: pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

[msaxl]

I have looked at the source and found a potential problem. This patch
should fix it, but of corse needs some testing.


** Patch added: krb5_kt_start_seq.diff
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1310919/+attachment/4094414/+files/krb5_kt_start_seq.diff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1310919

Title:
  pam_winbind krb5_ccache_type=FILE stopped working after 14.04 upgrade

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1310919/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs