[Bug 334374] Re: libnss-ldap should not depend on libpam-ldap
Robie, thanks for commenting. Note that the ldap-auth-config package does not preclude alternate forms of managing /etc/ldap.conf. It won't touch an existing config file, nor complain if the one it creates is modified. Also, while this package does not exist in Debian, the file is still created when libnss-ldap or libpam-ldap is installed---there is no expectation that the user will create this file (let alone *know* to create this particular file) from scratch. The reason why I think a hard dependency is warranted is that if you install libnss-ldap without libpam-ldap, not only are you left with no config file for the former (i.e. /etc/ldap.conf), you could easily be misled into thinking that /etc/ldap/ldap.conf (from the libldap package) is relevant---especially as "man ldap.conf" refers to the latter. This is the scenario I encountered, and IMO it made clear why weakening the dependency on ldap-auth-config was the wrong way to go. (Bug 1016592, and this one, would still be addressed by weakening the ldap-auth-config -> ldap-auth-client dependency instead.) As far as Debian is concerned, I would strongly advocate for having ldap-auth-config (and perhaps ldap-auth-client and friends) paralleled there. Right now, you have duplicate logic in the libnss-ldap and libpam-ldap package postinst scripts; Ubuntu's approach essentially factors that out into a separate package. The only change I would make is downgrade the ldap-auth-config -> ldap-auth-client dependency to a Suggests (or nothing), to eliminate the cycle in the dependency graph. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/334374 Title: libnss-ldap should not depend on libpam-ldap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ldap-auth-client/+bug/334374/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 334374] Re: libnss-ldap should not depend on libpam-ldap
I think Thierry's solution in comment #10 is the way to go. It's appropriate for ldap-auth-client to depend on libpam-ldap, because that's the intent of the metapackage. But ldap-auth-config provides /etc/ldap.conf, which you need whether or not you're using LDAP for authentication. (That package would be better named "ldap-config".) I see that libnss-ldap now recommends ldap-auth-config instead of hard- depending on it. But this is not useful, because without /etc/ldap.conf, you have no working LDAP setup. (Robie Basak made this change recently; I've subscribed him to this bug.) I think that this particular hard dependency was correct, in fact---unless you manually create a new /etc/ldap.conf from scratch, I see no reason why you would want to install libnss-ldap without ldap-auth-config (dependencies of the latter aside). [tl;dr] IMO, the solution is * ldap-auth-config Recommends ldap-auth-client * libnss-ldap Depends-on ldap-auth-config -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/334374 Title: libnss-ldap should not depend on libpam-ldap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ldap-auth-client/+bug/334374/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 334374] Re: libnss-ldap should not depend on libpam-ldap
** Also affects: ldap-auth-client (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/334374 Title: libnss-ldap should not depend on libpam-ldap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ldap-auth-client/+bug/334374/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1131383] [NEW] Wishlist: $SSH_AUTH_SOCK in $XDG_RUNTIME_DIR
Public bug reported: This is a wishlist item for openssh-client 6.0p1-3ubuntu1 in Ubuntu Quantal. Now that XDG_RUNTIME_DIR support is available, it would be nice if the /etc/X11/Xsession.d/90x11-common_ssh-agent X session startup script would check to see if the variable is set, and if so, pass an argument to ssh-agent(1) so that the Unix-domain socket is created in /run/user/$USER/* rather than /tmp/ssh-*/. ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1131383 Title: Wishlist: $SSH_AUTH_SOCK in $XDG_RUNTIME_DIR To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1131383/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1098294] [NEW] Use of uninitialized value $admin in string eq at ...
Public bug reported: When I install krb5-config 2.3 (along with some other Kerberos-related packages) on Ubuntu Quantal, I see this: [...] Get:8 http://$APTHOST/ubuntu/ quantal/universe krb5-user amd64 1.10.1+dfsg-2 [114 kB] Get:9 http://$APTHOST/ubuntu/ quantal/universe kstart amd64 4.1-2 [54.3 kB] Fetched 1620 kB in 1s (1093 kB/s) Preconfiguring packages ... Use of uninitialized value $admin in string eq at /tmp/krb5-config.config.261821 line 171, line 19. Selecting previously unselected package libgssrpc4:amd64. (Reading database ... 46594 files and directories currently installed.) Unpacking libgssrpc4:amd64 (from .../libgssrpc4_1.10.1+dfsg-2_amd64.deb) ... [...] Setting up libkadm5srv-mit8:amd64 (1.10.1+dfsg-2) ... Setting up krb5-config (2.3) ... Use of uninitialized value $admin in string eq at /var/lib/dpkg/info/krb5-config.config line 171, line 19. Setting up libpam-krb5:amd64 (4.6-1) ... Setting up krb5-doc (1.10.1+dfsg-2) ... [...] ** Affects: kerberos-configs (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in Ubuntu. https://bugs.launchpad.net/bugs/1098294 Title: Use of uninitialized value $admin in string eq at ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/1098294/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928]
And a year later, this issue still afflicts OpenSSH 6.1p1 (as packaged by Ubuntu). Aab's patch still applies, if fuzzily, and still hardens up ssh-keyscan so that it can deal with my company's network. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/483928/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928]
I don't think anyone will fault you for having more momentous matters to attend to! As it is, I've gone without doing a network scan for that long anyway. Thanks for formally submitting the patch; hopefully this issue will be put to rest soon. Best of luck with the transition to a retired life, and may you continue to make contributions of value to our community :) (The old patch applied to 6.1p1 with fuzz, yet without rejections, only because it hadn't been updated in a while.) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/483928/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928]
(In reply to comment #41) > > The number of ways that key access can be terminated keeps increasing, > doesn't it? I hope it won't be necessary to enumerate them all before this bug can be closed! > My oops. I have had my focus redirected to other projects and, > besides, I'm very lazy (;-}). > > Dumb me, I thought at least a question or two would be forthcoming from > the OpenSSH folks. Guess not. I saw the mailing list reference in the > README and promptly forgot about it. I will send the patch there. I > apologize for the slowness. Hey, it's your patch. All the fame and glory will go to you ;-) > Question for you. The ssh-keyscan code currently limits the maximum > number of used file descriptors to <256. The biggest problem that I've > seen with that number is, if you ever have a very large number of down > hosts (which we have had), the code uses the available fds and has to > wait for a '-Tn' timeout on one of them to start another key access. > I've made a local modification that changes that number to 512. The > code seems smart enough so that, if the OS has smaller limits, nothing > will break. Right now Debian defaults to 1024 fds max and (at least > our) Redhat to 20480. So 512 is a modest increase. Would you have an > opinion on this? Debian has 1024 fds max per process, or across the entire system? (If a local DoS attack were really as easy as calling open() ~1000 times...) If the limit is for the whole system, that would be a good reason to make this an option, or a recognized environment variable. If for a single process, then just call sysconf(_SC_OPEN_MAX) and go to town. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/483928/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928]
Okay, I tried Ubuntu's packaging of OpenSSH (version 1:5.8p1-7ubuntu1) with your patch, and it powered through everything. Here is a list of all the error messages I received: A.B.C.D: Connection closed by remote host Connection closed by A.B.C.D Connection to A.B.C.D timed out while waiting to read Received disconnect from A.B.C.D: 10: Protocol error Received disconnect from A.B.C.D: 10: Protocol error Received disconnect from A.B.C.D: 11: SSH Disabled Received disconnect from A.B.C.D: 2: Client Disconnect Received disconnect from A.B.C.D: 2: Protocol Timeout connect (`A.B.C.D'): Network is unreachable no 'ssh-rsa' hostkey alg(s) for A.B.C.D read (A.B.C.D): Connection reset by peer read (A.B.C.D): No route to host (This is ssh-keyscan output with /^#.*$/ filtered out, all IPs zapped, and 'sort -u'd) Now the question is, why hasn't this been checked in already! (Have you tried making some noise on the mailing list?) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/483928/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928]
(In reply to comment #38) > I haven't seen this one before. The text you included indicates that > ssh-keyscan was processing a Protocol 2 key and it should be using the > modified code to do it. Is there any way that you could send me a > traceback when the failure occurs? I'll do that, when I'm back in the office. I'll use your patch. (This was with the stock Ubuntu build; it was just a failure mode that hadn't been noted here before.) > FWIW - I think the " 2: Protocol Timeout" part of the message comes > from the remote "SSH-2.0-RomSShell_4.62" server because I couldn't find > that text in the OpenSSH source. What is "RomSShell"? It seems to be an OEM embedded implementation of SSH... this was probably a router or something. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/483928/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 382832] Re: Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8)
Yes, I'm afraid. Joshua's patch has not yet been committed (as of Natty). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. https://bugs.launchpad.net/bugs/382832 Title: Need comment for line added to /etc/ldap.conf by nssldap-update- ignoreusers(8) -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928] Re: ssh-keyscan(1) exits prematurely on some non-fatal errors
** Bug watch added: OpenSSH Portable Bugzilla #1213 https://bugzilla.mindrot.org/show_bug.cgi?id=1213 ** Also affects: openssh via https://bugzilla.mindrot.org/show_bug.cgi?id=1213 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928] Re: ssh-keyscan(1) exits prematurely on some non-fatal errors
I'm still seeing this with openssh-client 1:5.5p1-4ubuntu5. From a makefile that invokes "ssh-keyscan -v": [...] debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: match: OpenSSH_3.6.1p2 pat OpenSSH_3.* # A.B.C.D SSH-1.99-OpenSSH_3.6.1p2 debug1: Enabling compatibility mode for protocol 2.0 debug1: SSH2_MSG_KEXINIT sent Connection closed by A.B.C.D make: *** [ssh_known_hosts.new] Error 255 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. https://bugs.launchpad.net/bugs/483928 Title: ssh-keyscan(1) exits prematurely on some non-fatal errors -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 711465] Re: mod_rewrite directives in section confusingly disable rewrites in .htaccess
Adding "RewriteOptions inherit" doesn't seem to have any effect, whether in the section or the .htaccess file. Besides, looking at the documentation... "inherit - This forces the current configuration to inherit the configuration of the parent. In per-virtual-server context, this means that the maps, conditions and rules of the main server are inherited. In per-directory context this means that conditions and rules of the parent directory's .htaccess configuration are inherited." Doesn't that mean that the inheritance goes from main server to virtual server, and parent directory to subdirectory? (In other words, I don't see why it would be the .htaccess rewrite rules that would be discarded, if any...) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. https://bugs.launchpad.net/bugs/711465 Title: mod_rewrite directives in section confusingly disable rewrites in .htaccess -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 711465] [NEW] mod_rewrite directives in section confusingly disable rewrites in .htaccess
Public bug reported: Binary package hint: apache2.2-bin Reporting this against version 2.2.16-1ubuntu3.1 in Maverick. I have apache2 configured in the following way: 1. mod_rewrite is enabled; 2. "AllowOverride All" is set (on /var/www) to enable the use of .htaccess files; 3. "RewriteEngine On" plus some basic rewrite rules are placed in /var/www/.htaccess . This works. URLs are rewritten without issue. But then, if I add the following to the server config, say in /etc/apache2/httpd.conf ... RewriteEngine On ...then the rewrites stop working. There is no indication of why, no error or warning message given even with logging/debugging turned up to maximum---just .htaccess rewrite rules that refuse to work despite everything else seemingly in order. You get the same result if you have a RewriteRule directive in the section; it appears that any reference to a mod_rewrite directive therein leads to this situation. This led to a lot of frustration on my part, because before I figured out that I had to change AllowOverride to get .htaccess files working, I tried adding mod_rewrite directives in a setting, and left them in, figuring they would be harmless at most. After figuring out what was going on, I noticed that the mod_rewrite documentation states the following: "Although rewrite rules are syntactically permitted in and sections, this should never be necessary and is unsupported." I think it would be helpful if mod_rewrite were to give a prominent warning or error if it is invoked in a (or ) section, rather than behaving in the above-described confusing and undocumented manner. ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. https://bugs.launchpad.net/bugs/711465 Title: mod_rewrite directives in section confusingly disable rewrites in .htaccess -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 660105] Re: when deflate is enabled, please also compress CSS and JS by default?
I think this would need an explicit decision to de-support IE6, as far
as compressed JS is concerned. (I can't remember offhand which clients
couldn't handle compressed CSS; was it anything newer than Netscape 4?)
http://www.cforcoding.com/2009/05/supercharging-javascript-part-6.html
("Supercharging Javascript, Part 6: The Internet Explorer Problem")
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.
https://bugs.launchpad.net/bugs/660105
Title:
when deflate is enabled, please also compress CSS and JS by default?
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 382832] Re: Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8)
Yep! That's the idea. I would tack on the "(8)" man-section suffix to the program name, but at any rate, this is all that's needed. -- Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8) https://bugs.launchpad.net/bugs/382832 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
> I don't think moving parts of the user configuration out of the config files is acceptable, and if you disable and then re-enable a module, I don't see any reason that the config options *should* be sticky. I wasn't so much proposing an alternative, just going over the shortcomings I see of this approach. (Sticky options would present another quandary---what if they're wrong, and you're not sure how? What easy way do you have to revert to a "pristine" config, if disabling/re- enabling a module doesn't do it?) > pam-auth-update already implements the usual guarantee required by Debian/Ubuntu policy - that local configuration changes are respected. Helping the user understand which bits of the configuration *are* local changes is gravy. What's implemented now is serviceable, to be sure, but I think the PAM config warrants a higher level of transparency than (say) inetd.conf. Maybe it can be machine-generated comments in the common-* files that indicate which options are customized; maybe some external file (/etc/pam.overrides? pam.custom?) that stores these options, allowing easy review and editing. I don't know what the solution would be---only that I'm vaguely uncomfortable with something as critical as the PAM config having this not-easily-inspected space in which changes can be made. There's definitely room for improvement here. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Happy to give it a try, Steve. I just commented in that bug report. This is a potential solution, but putting aside the tricky case of "what happens if the common-* files have customized options, and then the PAM profile changes?", another problem with this approach is the fragility of the customization. If you deselect the module, update, then reselect it, and update... the customized module options are gone without a trace. There's no way to get them back, other than making the same edit to the common-* files again. The only real way to safeguard such customizations is to revert the files to manually-edited mode. I'm not terribly comfortable with the way the "statefulness" works with this approach, either. The PAM configuration is not just a vector of bits indicating enabled/disabled profiles, but also whatever customizations have been made in the common-* files. If I'm not aware of what these customizations are, then I have no good way of knowing if my PAM config is just that vector, or if there's something more to it. There's no mechanism to tell me "here are all the module options that are different from what's in the profiles." -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
> Er, how is it silent when pam-auth-update asks you a question? Silent, in the sense that when you run p-a-u, it doesn't indicate that the common-* files have been modified in any way; it just presents you with the same checkbox-list of profiles. You leave everything as-is, hit OK, look at the file, and the option you had just added is gone. (Not that I'm keen on the ability for p-a-u to preserve module options ---that means I have to guess what the tool does if the options change in a profile, and it has to "merge" that change with hand-modified options in common-*. Even worse if it asks the user what to do; how do you even word that question without confusing most people?) > That seems to me like the best way to do things at scale. I don't want to forgo p-a-u. It's beneficial for single users and admins, yes, but it's a boon to large sites as well, because it reduces your entire PAM configuration from four arbitrary freeform "script" files (in which any mistakes can have major consequences) to a short vector of enabled/disabled PAM profiles. If a user wants to install something that hooks into the PAM stack that isn't already in the image (let's say, ConsoleKit), they don't have to hand-edit/merge anything, or come running for support when they inevitably break PAM and lock themselves out; they just check a new box. This is why I never considered hand-tuning common-*, and instead went with a custom profile. It's far better to wedge a new piece into p-a-u, than to toss p-a-u altogether and hand-maintain everything the old-fashioned way. (I can hardly even stand working with Debian Lenny anymore because it doesn't have this. That's how big an improvement it's been for me.) > We can certainly try to make it work more smoothly for you, but it does feel like you're creating extra work for yourself in a few places. As I see it, custom profiles and hand-editing auto-generated files are "extra work," and I'm trying to laze my way away from that! :-) > Debian Bug#429692. There's no progress on it so far as I know. Just #include functionality? That seems overly modest (packages would still have to modify an existing file, they can't just drop a file into a directory), but still an improvement over what we have now. *push* *goad* *cajole* -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
> No, it's persistent unless you disable pam_krb5 entirely. Have you tried it? Yeah, where pam-auth-update asks you "Override local changes to /etc/pam.d/common-*?" I see the man page says something about preserving module options, but if I add an option to (say) common-auth, and re-run p-a-u, the option is silently blown away. (This is on my Karmic work system; has this changed since? I don't see anything in the changelog.) -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
> They may want to, but I don't think the added complexity of debconf solely for what I believe is a rarely-used option makes sense. [...] I don't think debconf offers much benefit here. Fair enough, though I hope you're not suggesting direct modification of the /etc/pam.d/common-* files as a practical way of doing site customization. (That'll work fine until the next time someone wants to run pam-auth-update...) -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
> I guess I'm a bit baffled by why fixing your PAM configuration is a workaround but installing a custom krb5.conf is a desired configuration step. krb5.conf is a config file under /etc. That's the ideal place to make configuration changes. As it is, right now, adding the minimum_uid bit involves just appending a few lines to the file---it doesn't get much simpler than that. > It's a weird situation, since krb5-config doesn't know whether you're ever going to care about the Kerberos PAM module. You may be installing a krb5.conf for some other reason entirely. Yeah, that's true. It's like with LDAP; my site uses LDAP for "ls -l", ~user lookups et al., but not for authentication. Still, having it in debconf may be convenient enough for sites that use pam_krb5, to be worth the "this setting only has an effect if ..." qualifier for sites that don't. Though I haven't made much use of [appdefaults] myself (just for the PAM module), I've never seen a philosophical problem with it, since all the settings there would relate to Kerberos anyway---it just comes down to making the admin's job easier. Splitting them out elsewhere might be more pedantically correct, but... For that matter, has there been any talk on a better way doing krb5.conf, like doing a /etc/krb5.conf.d/ or a krb5-auth-update(8) or the like? With all that's been said here about the limitations of the file and how it's structured/managed, it seems like this is a problem that's crying out for a solution. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
> But I suppose that's what NEWS.Debian is for.
You could also stick in a debconf notice, like what x11-common had for a
while ("Major possible upgrade issues").
> Right -- if you're already distributing a krb5.conf with this setting,
surely the same mechanism could be used to override the PAM
configuration as well.
At the moment, my PAM-profile override *is* put into place by the same
script that adds the minimum_uid bit to krb5.conf. But that's just a
workaround. I don't need a workaround; I need a fix for this, so that I
can toss the workaround :-)
(Incidentally, Russ, Steve... what would you think of asking minimum_uid
as a debconf question, when initially creating krb5.conf? Other sites
may want to frob this setting as well.)
--
Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
https://bugs.launchpad.net/bugs/369575
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Isn't it possible to use debconf to change around the enabled profiles, via the libpam-runtime/profiles selection? Steve: I'm not sure I understand what you mean by "automatically apply ... by the same mechanism." I can set minimum_uid in krb5.conf, but I also have to toss the minimum_uid= options in /etc/pam.d/common-*, because PAM module options take precedence over what's in krb5.conf. That's why I'm using a custom Kerberos profile. It's basically identical to the stock "krb5" profile, just without the minimum_uid= bit. I *want* to use the package defaults---the only reason I can't is because minimum_uid is hardcoded in there, not in a conffile, and not under /etc. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Thought about the upgrade process a bit. How about this: 1. kerberos-configs starts generating new krb5.conf files with minimum_uid=1000. Then a little later... 2. libpam-krb5 has minimum_uid removed from pam-configs/krb5. On upgrade, it checks to see if this is in krb5.conf. If yes, great. If no, then copy pam-configs/krb5 to e.g. krb5_old, have pam-auth-update use that instead of the new krb5 profile, and show a warning to the user. The user can dismiss the warning, and nothing changes for him/her. krb5_old sticks around as a conffile (removed if package is purged, but otherwise remains untouched by future upgrades), and the regular krb5 profile doesn't have to be hobbled by backward-compatibility measures. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
You can see why I'm pushing on this. It's pay now, or pay later... no real gain in waiting :-] Ah, yes, users who've been dist-upgrading their Ubuntu installs since Warty... I guess there's no such thing as "temporary" postinst logic, if those need to be handled. A warning wouldn't be so bad. The users who would see it are those who are (1) dist-upgrading a distribution that (2) uses Kerberos authentication. Which often occurs in (3) an institutional setting with dedicated admins who can hand-hold/auto-script the change as needed. I don't think so many would be affected, and of those who are, a large part should be spoken for by their mother hens. How did PAM-related packages manage changes to /etc/pam.d/* before pam- auth-update came along? Yeah, automated editing is gauche, but it's not like you just can't do *anything* in that sort of scenario... -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
What about just punting on upgrades altogether, and putting in the rearranged config only on a new install? Could that be done with appropriate postinst magic? Alternately, you could pop up a big scary debconf warning... there's ample precedent for that. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
No no, the goal is not to have Kerberos users with uid < 1000. It's to push minimum_uid higher, so that you can have normal 1000-something-uid local users authenticate without any Kerberos interaction. Same argument as for the root user and ignore_root. As for doing the upgrade, isn't pam-configs/krb5 a conffile? The user would see what's going on. -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
I know this isn't a big deal in the larger scheme of things, but it's the difference between being able to use the stock krb5 profile, and having to maintain a custom one. (And remember, the current behavior involves headaches if you have any non-root local users.) Please bring this up with Sam when you get an opportunity -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 382832] Re: Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8)
Hi Dustin. I just noticed you're the author of nssldap-update- ignoreusers(8) ^_^ Does this look like a reasonable thing to add? -- Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8) https://bugs.launchpad.net/bugs/382832 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
Can we get minimum_uid out of pam-configs/krb5 for Lucid? -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 536930] [NEW] Password changing fails when "krb5" pam-config is not first
Public bug reported: This concerns libpam-krb5 3.15-1 in Karmic. If you use the "krb5" profile for pam-auth-update, password changing works correctly---unless another profile goes above it, and the "Password" clause is used instead of "Password-Initial". (I simulated this by bumping the priority down to 255, putting it immediately after the "unix" profile.) Then you get $ passwd passwd: Authentication information cannot be recovered passwd: password unchanged The problem is in passing "use_authtok" to pam_krb5. Comparatively, try_first_pass/use_first_pass/nothing at least allows the "Current Kerberos password:" prompt to come up. ** Affects: kerberos-configs (Ubuntu) Importance: Undecided Status: New -- Password changing fails when "krb5" pam-config is not first https://bugs.launchpad.net/bugs/536930 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 483928] [NEW] ssh-keyscan(1) exits prematurely on some non-fatal errors
Public bug reported: Binary package hint: openssh-client This concerns openssh-client 1:5.1p1-5ubuntu1 in Karmic. I am using ssh-keyscan(1) for its intended purpose: building an ssh_known_hosts file for a large network. Most of the hosts on this network are well-maintained systems, with properly-functioning SSH servers, and present no difficulty to the program. However, a handful of hosts are barely alive, with SSH servers that are not exactly in good working order. ssh-keyscan(1) currently will scan these systems, encounter some form of error, and then---right here is the problem---exit in the middle of the scan. The last bit of stderr output may look like # A.B.C.D SSH-2.0-OpenSSH_4.3 # A.B.C.E SSH-2.0-OpenSSH_4.3 # A.B.C.F SSH-1.99-OpenSSH_3.7p1 Connection closed by A.B.C.F or # A.B.C.D SSH-2.0-OpenSSH_4.1 # A.B.C.E SSH-2.0-OpenSSH_4.1 # A.B.C.F SSH-2.0-mpSSH_0.1.0 Received disconnect from A.B.C.F: 10: Protocol error or # A.B.C.D SSH-2.0-OpenSSH_4.4p1 # A.B.C.E SSH-2.0-OpenSSH_5.0p1 # A.B.C.F SSH-2.0-mpSSH_0.1.0 Received disconnect from A.B.C.F: 11: SSH Disabled (These are the different failure modes I've observed to date) ssh-keyscan(1) needs to be robust to these kinds of errors---simply make a note of them, and continue on with the scan. I don't want to have to find out which systems are misbehaving by running and re-running the scan (each run yields at most one bad host, obviously), nor manually edit out the few bad apples from the input list of hosts (especially considering that this particular subset can change over time). Neither is feasible when the number of hosts being scanned is very large. ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- ssh-keyscan(1) exits prematurely on some non-fatal errors https://bugs.launchpad.net/bugs/483928 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 452461] Re: Cannot elide admin_servers from debconf config
Please let me know if any further information is needed. ** Changed in: kerberos-configs (Ubuntu) Status: Incomplete => New -- Cannot elide admin_servers from debconf config https://bugs.launchpad.net/bugs/452461 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 452461] Re: Cannot elide admin_servers from debconf config
Sorry for not following up sooner.
I want to set up my /etc/krb5.conf file via debconf, as is currently
implemented, but I want to do things a little differently from what the
scripts have been written to do.
Normally, you'd specify something like this in debconf:
krb5-config/kerberos_servers: server1.realm.com server2.realm.com
krb5-config/default_realm: REALM.COM
krb5-config/admin_server: admin-server.realm.com
Which would result in a clause in /etc/krb5.conf like
[realms]
REALM.COM = {
kdc = server1.realm.com
kdc = server2.realm.com
admin_server = admin-server.realm.com
}
But I want a krb5.conf clause that *does not specify* an "admin_server",
only "kdc"s. (I want to use an explicitly specified KDC, but allow the
Kerberos admin server to be located via DNS.)
Presumably, you would set an empty value for admin_server in debconf,
and the scripts would give the desired result. But at present, an empty
admin_server value causes the "REALM.COM = { ... }" clause not to be
generated *at all*. It's the same behavior you get if you enable the
debconf krb5-config/dns_for_default option.
The bug is that debconf will process only both items (kdc +
admin_server) or none, where it should be allowing the flexibility to
use just one or the other.
--
Cannot elide admin_servers from debconf config
https://bugs.launchpad.net/bugs/452461
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to kerberos-configs in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 452461] [NEW] Cannot elide admin_servers from debconf config
Public bug reported: Binary package hint: krb5-config I want to set up /etc/krb5.conf via debconf so that the file specifies "kdc" for my Kerberos realm, but not "admin_server" (nor "kpasswd") because I want those to be found via DNS. If I do the logical thing, however---give a value for krb5-config/kerberos_servers, but leave krb5-config/admin_server empty ---the config script does not create a clause under [realms] at all. It should be creating a clause with a "kdc" line and nothing more. (Background: This is an enterprise scenario. DNS points to a long list of remote authoritative KDCs. Because these KDCs are remote, and also buggy [long story] we would rather use a local read-only KDC for normal authentication. But obviously, admin_server and kpasswd have to go to the authoritative KDCs.) ** Affects: kerberos-configs (Ubuntu) Importance: Undecided Status: New -- Cannot elide admin_servers from debconf config https://bugs.launchpad.net/bugs/452461 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 400776] Re: ssh-keyscan(1) hangs if broken server does partial handshake
The system in question, along with several others, was recently decommissioned and cannot be brought back online. (Honestly, we don't even know which physical machine it was.) This bug was trivially reproducible at the time that the report was filed, but I no longer have the means of doing so. ** Changed in: openssh (Ubuntu) Status: Incomplete => Invalid -- ssh-keyscan(1) hangs if broken server does partial handshake https://bugs.launchpad.net/bugs/400776 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 334374] Re: libnss-ldap should not depend on libpam-ldap
This bug report needs a visual aid. ** Attachment added: "Current dependency graph (black edge = Depends, red edge = Recommends)" http://launchpadlibrarian.net/30386089/depgraph.png -- libnss-ldap should not depend on libpam-ldap https://bugs.launchpad.net/bugs/334374 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 400776] [NEW] ssh-keyscan(1) hangs if broken server does partial handshake
Public bug reported: Binary package hint: openssh-client This concerns openssh-client 1:5.1p1-5ubuntu1 in Ubuntu Jaunty. I use ssh-keyscan(1) at a company site to create a global ssh_known_hosts file. I've found, however, that the program comes to a halt when it scans one particular system, an ancient, abused laptop apparently running Debian Sarge (according to the SSH server banner). When the program reaches that point, it simply sits there, past the timeout specified via -T, waiting on a select() call per strace(1). After about fifteen minutes, you see "Connection closed by $IP_ADDRESS", and the program summarily exits with status 255. If I connect to the system with "ssh -v r...@$ip_address", I get 8< OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /home/username/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to $IP_ADDRESS [$IP_ADDRESS] port 22. debug1: Connection established. debug1: identity file /home/username/.ssh/identity type -1 debug1: identity file /home/username/.ssh/id_rsa type -1 debug1: identity file /home/username/.ssh/id_dsa type 2 debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP [sits here idle for about fifteen minutes] Connection closed by $IP_ADDRESS >8 ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- ssh-keyscan(1) hangs if broken server does partial handshake https://bugs.launchpad.net/bugs/400776 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 382832] [NEW] Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8)
Public bug reported: Binary package hint: libnss-ldap (This is an issue as of libnss-ldap 261-2.1ubuntu1 in Ubuntu Jaunty.) The nss_initgroups_ignoreusers line added by nssldap-update- ignoreusers(8) to the end of /etc/ldap.conf needs a comment at least indicating what added it. For those who keep tight control over their config files (like me), seeing this strange line added by who or what unknown is unsettling, and not in keeping with Debian/Ubuntu's typical transparency under /etc. ** Affects: libnss-ldap (Ubuntu) Importance: Undecided Status: New -- Need comment for line added to /etc/ldap.conf by nssldap-update-ignoreusers(8) https://bugs.launchpad.net/bugs/382832 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 369575] Re: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ?
minimum_uid in krb5.conf, and ignore_root in .../pam-configs/krb5 sounds like a good way to go. For sites that distribute a global krb5.conf, they can always add the minimum_uid option if they like---if it's not already there, the distribution is likely passing that in as a PAM module option anyway (whether via pam-auth-update or otherwise). For now, I guess I'll have to go with the custom krb5-mysite profile option. (Editing /etc/pam.d/common-* is possible, and indeed honored by pam-auth-update, but then you lose the whole benefit of being able to generate the config with a checklist. From an administrative standpoint, that's a *major* price to pay.) -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 300221] [NEW] Add "Recommends: keyutils" to smbfs
Public bug reported: Binary package hint: smbfs Looking at smbfs 2:3.2.3-1ubuntu3 in Intrepid. Samba's CIFS kernel module (as invoked via mount.cifs(8), in smbfs) makes use of the kernel's new request-key infrastructure, but there is nothing at the package-description level to indicate the critical relationship with the keyutils package. Given that /sbin/request-key et al. is required in order for certain shares to work at all (notably, those with DFS components, which at a minimum need the dns_resolver upcall key), I think a strong (if not absolute) dependency should be noted. ** Affects: samba (Ubuntu) Importance: Undecided Status: New -- Add "Recommends: keyutils" to smbfs https://bugs.launchpad.net/bugs/300221 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Unfortunately, CIFS with Kerberos auth is broken in Intrepid, due to bug 298208. Has anyone here gotten the upcall business to work in 8.10? -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 270512] Re: openssh-client could suggest xauth rather than recommend it
Bug 51774 is about silent-failure behavior when forwarding X11 without xauth(1) on the remote side, which is a separate issue. Colin, you yourself said that a package dependency doesn't address that, and I agree. I also agree with Thierry's premise that those X11-related packages should not be pulled in by openssh-client, and would go further to say that they have no place in an out-of-the-box CLI install. (I filed bug 293313 before fully understanding what was going on.) I'd like to see xauth downgraded to Suggests: in both the client and the server. It's silly for either of them to pull in x11-common et al. unless explicitly told otherwise via --no-install-recommends, and in any event we're talking about a behavior that didn't even exist before the change to apt earlier this year. More people are still accustomed to installing xauth/xorg explicitly if they need it, than to relying on the Recommends: to do it for them; we're not going to see hordes of hapless users running around because they can't forward X11 connections anymore. When apt was changed to install Recommends: by default, Michael Vogt said, "We should also clean up recommends were appropriate and downgrade them to suggests and sent the patches [to] debian." I think this is a case where that is needed. If the downgrade on -client and -server is too much, then at least do it for -client. Systems with xorg will already have xauth, so the only case left is systems without X11 serving as an intermediate SSH hop between systems that do (and does *that* rare case warrant polluting minimal CLI installs with X11 libs?). -- openssh-client could suggest xauth rather than recommend it https://bugs.launchpad.net/bugs/270512 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
