[Bug 1688411] [NEW] Please merge with Debian unstable 2.0.22-1.1
Public bug reported: To be entered ** Affects: openipmi (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openipmi in Ubuntu. https://bugs.launchpad.net/bugs/1688411 Title: Please merge with Debian unstable 2.0.22-1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openipmi/+bug/1688411/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1686237] Re: [SRU] microrelease update of src:php7.0 (7.0.18)
Tested, as per usual, by installing php in a LXD 17.04 and 16.10 container and then upgrading to the versions in -proposed. Everything went smoothly: 16.10: # apt policy php7.0 php7.0: Installed: 7.0.18-0ubuntu0.16.10.1 Candidate: 7.0.18-0ubuntu0.16.10.1 Version table: *** 7.0.18-0ubuntu0.16.10.1 500 500 http://archive.ubuntu.com/ubuntu yakkety-proposed/main amd64 Packages 100 /var/lib/dpkg/status 7.0.15-0ubuntu0.16.10.4 500 500 http://archive.ubuntu.com/ubuntu yakkety-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu yakkety-security/main amd64 Packages 7.0.8-3ubuntu3 500 500 http://archive.ubuntu.com/ubuntu yakkety/main amd64 Packages 17.04: # apt policy php7.0 php7.0: Installed: 7.0.18-0ubuntu0.17.04.1 Candidate: 7.0.18-0ubuntu0.17.04.1 Version table: *** 7.0.18-0ubuntu0.17.04.1 500 500 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages 100 /var/lib/dpkg/status 7.0.15-1ubuntu4 500 500 http://archive.ubuntu.com/ubuntu zesty/main amd64 Packages Marking v-d. ** Tags removed: verification-needed ** Tags added: verification-done-yakkety verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php7.0 in Ubuntu. https://bugs.launchpad.net/bugs/1686237 Title: [SRU] microrelease update of src:php7.0 (7.0.18) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1686237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Ok, I got a simpler test case for (a) that doesn't involve setting up FreeIPA, PKINIT or OTP. I'll update the bug description about it tomorrow and then proceed with the SRU paperwork and actual packages. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1683237 Title: krb5-user: kinit fails for OTP user when using kdc discovery via DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688399] [NEW] Please merge with Debian unstable 1.8.4-4
Public bug reported: ocfs2-tools (1.8.4-4ubuntu1) artful; urgency=medium * Merge with Debian unstable. Remaining changes: - d/t/basic: do not assume local filesystem blocksize will support the mkfs.ocfs2 blocksize (e.g., 4k disks will not support a 1k blocksize). * Drop: - d/t/control: dlm-controld is renamed to dlm in Ubuntu. [ Package has been renamed in Ubuntu to match Debian ] + LP: #1669133 -- Nishanth Aravamudan Wed, 03 May 2017 17:04:59 -0700 ** Affects: ocfs2-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ocfs2-tools in Ubuntu. https://bugs.launchpad.net/bugs/1688399 Title: Please merge with Debian unstable 1.8.4-4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ocfs2-tools/+bug/1688399/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688362] [NEW] Please merge with Debian unstable 1.6.0-3
Public bug reported: unbound (1.6.0-3ubuntu1) artful; urgency=medium * Merge with Debian unstable (LP: #1688362). Remaining changes: - Revert dnstap support (dependencies not in main) -- Nishanth Aravamudan Thu, 04 May 2017 11:29:15 -0700 ** Affects: unbound (Ubuntu) Importance: Undecided Assignee: Nish Aravamudan (nacc) Status: In Progress ** Changed in: unbound (Ubuntu) Status: New => In Progress ** Changed in: unbound (Ubuntu) Assignee: (unassigned) => Nish Aravamudan (nacc) ** Description changed: - to be completed. + unbound (1.6.0-3ubuntu1) artful; urgency=medium + + * Merge with Debian unstable (LP: #1688362). Remaining changes: + - Revert dnstap support (dependencies not in main) + + -- Nishanth Aravamudan Thu, 04 May + 2017 11:29:15 -0700 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to unbound in Ubuntu. https://bugs.launchpad.net/bugs/1688362 Title: Please merge with Debian unstable 1.6.0-3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1688362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Bug watch added: Debian Bug tracker #860767 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 ** Also affects: krb5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1667834] Re: Defer php7.1 to Artful
** Changed in: php7.1 (Ubuntu) Status: Fix Committed => Fix Released ** Changed in: php-defaults (Ubuntu) Status: In Progress => Fix Released ** Changed in: php-defaults (Ubuntu) Assignee: Nish Aravamudan (nacc) => (unassigned) ** Changed in: php7.1 (Ubuntu) Assignee: Nish Aravamudan (nacc) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php-defaults in Ubuntu. https://bugs.launchpad.net/bugs/1667834 Title: Defer php7.1 to Artful To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-defaults/+bug/1667834/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688310] Re: KDC/kadmind may fail to start on IPv4-only systems
** Changed in: krb5 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: krb5 (Ubuntu) Status: In Progress => Fix Released ** Changed in: krb5 (Ubuntu Zesty) Status: New => In Progress ** Changed in: krb5 (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310 filed for (c) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1683237 Title: krb5-user: kinit fails for OTP user when using kdc discovery via DNS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688310] [NEW] KDC/kadmind may fail to start on IPv4-only systems
Public bug reported: This is fixed in artful in krb5 1.15-2 - upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8531 - debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767 - debian patch: 0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch getaddrinfo() called on a wildcard address might return the IPv6 "::1" address. On machines without IPv6 support, binding to it will likely fail and the kdc/kadmin services won't start. Steps to reproduce the problem on zesty: a) install krb5-kdc krb5-admin-server $ sudo apt install krb5-kdc krb5-admin-server when prompted, use EXAMPLE.ORG (all caps) as the default realm when prompted, use the IP of this machine for the KDC and the Admin servers b) configure a new realm called EXAMPLE.ORG $ sudo krb5_newrealm use any password of your liking when prompted c) confirm the kdc and admin services are running. $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep 4275 ?Ss 0:00 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 4306 ?Ss 0:00 /usr/sbin/kadmind -nofork d) create a principal and obtain a ticket to confirm kerberos is working properly: $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu $ kinit Password for ubu...@example.org: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: ubu...@example.org Valid starting Expires Service principal 05/04/2017 14:20:17 05/05/2017 00:20:17 krbtgt/example@example.org renew until 05/05/2017 14:20:13 e) Confirm the kerberos services are bound to IPv6 local sockets: $ sudo netstat -anp|grep -E "^(tcp|udp)6.*(krb5kdc|kadmind)" tcp6 0 0 :::88 :::*LISTEN 1078/krb5kdc tcp6 0 0 :::749 :::*LISTEN 1065/kadmind tcp6 0 0 :::464 :::*LISTEN 1065/kadmind udp6 0 0 :::88 :::* 1078/krb5kdc udp6 0 0 :::464 :::* 1065/kadmind udp6 0 0 :::750 :::* 1078/krb5kdc f) configure the system to not support IPv6. There are probably many ways to do this, but the one sure way is to reboot it with ipv6.disable=1 in the kernel command line: e.1) edit /etc/default/grub e.2) add "ipv6.disable=1" to GRUB_CMDLINE_LINUX and save e.3) run sudo update-grub e.4) reboot f) Confirm the kdc and admin services are NOT running: $ ps faxw|grep -E "(krb5kdc|kadmind)"|grep -v grep $ g) /var/log/auth.log will contain the reason: $ sudo grep -E "(kadmind|krb5kdc).*Failed" /var/log/auth.log May 4 14:11:54 22-96 krb5kdc[1087]: Failed setting up a UDP socket (for ::.750) May 4 14:11:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:15:36 22-96 krb5kdc[1510]: Failed setting up a UDP socket (for ::.750) May 4 14:16:36 22-96 krb5kdc[1652]: Failed setting up a UDP socket (for ::.750) May 4 14:25:54 22-96 kadmind[1085]: Failed setting up a UDP socket (for ::.464) May 4 14:25:54 22-96 krb5kdc[1079]: Failed setting up a UDP socket (for ::.750) ** Affects: krb5 (Ubuntu) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688310 Title: KDC/kadmind may fail to start on IPv4-only systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688310/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Description changed:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5:
0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
TL;DR when kinit uses udp on an aliased interface address, server
responds with the wrong source IP
On zesty:
a) install krb5-kdc and krb5-admin-server
- sudo apt install krb5-kdc krb5-admin-server
+ $ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
- sudo krb5_newrealm
+ $ sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and
with mandatory PREAUTH:
- sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
+ $ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a
ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubu...@example.org
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/example@example.org
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds
10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
- sudo ip addr add 10.0.5.155/24 dev ens3
+ $ sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc
and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP
request using an incorrect source IP, therefore kinit never "sees" it. It
quickly times out and switches to TCP, where the server responds using the
correct source IP:
1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.00056668210.0.5.55 → 10.0.5.55KRB5 298 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.00323150710.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0
Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55TCP 76 88 → 55588 [SYN, ACK]
Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273
TSecr=3523453804 WS=128
5 1.00330261410.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1
Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.00354520410.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55TCP 68 88 → 55588 [ACK] Seq=1
Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55KRB5 326 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the
exchange happens and we get the ticket, but not before kinit repeats the
request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1688121
Title:
KDC/kadmind explicit wildcard listener addresses do not use pktinfo
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu Zesty) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Changed in: krb5 (Ubuntu Zesty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: krb5 (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
With the fix applied, we get this: $ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu real0m0.023s And the traffic happens all in UDP, since kinit got the "PREAUTH required" response (because now it came from the correct source IP) and just issued the updated request right away: 1 0.010.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ 2 0.002060386 10.0.5.155 → 10.0.5.55KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED 3 0.00541204610.0.5.55 → 10.0.5.155 KRB5 311 AS-REQ 4 0.012516720 10.0.5.155 → 10.0.5.55KRB5 793 AS-REP -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
** Bug watch added: krbdev.mit.edu/rt/ #8530 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 ** Also affects: krb5 (Debian) via http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1688121 Title: KDC/kadmind explicit wildcard listener addresses do not use pktinfo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
