Hello Robert, or anyone else affected, Accepted gssproxy into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gssproxy/0.8.2-2ubuntu0.21.04.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: gssproxy (Ubuntu Hirsute) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-hirsute ** Changed in: gssproxy (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libselinux in Ubuntu. https://bugs.launchpad.net/bugs/1788459 Title: gssproxy crashes in libselinux.so.1 on Ubuntu 18.04 when called by rpc.gssd Status in gssproxy package in Ubuntu: In Progress Status in libselinux package in Ubuntu: Invalid Status in gssproxy source package in Focal: Fix Committed Status in libselinux source package in Focal: Invalid Status in gssproxy source package in Hirsute: Fix Committed Status in libselinux source package in Hirsute: Invalid Bug description: [ Impact ] gssproxy users on Focal and Hiruste who configure the package to handle NFS mountpoints using Kerberos authentication will experience a segmentation fault when invoking the service either through systemd or by hand. [ Test Case] Inside a Focal LXD container: $ lxc launch images:ubuntu/focal gssproxy-bug1788459-focal $ lxc shell gssproxy-bug1788459-focal # apt update # apt install -y gssproxy nfs-kernel-server # cat > /etc/gssproxy/gssproxy.conf << __EOF__ [gssproxy] debug = true debug_level = 3 __EOF__ # cat >> /etc/gssproxy/25-nfs-server.conf << __EOF__ [service/nfs-server] mechs = krb5 socket = /run/gssproxy.sock cred_store = keytab:/etc/krb5.keytab trusted = yes kernel_nfsd = yes euid = 0 __EOF__ # /usr/sbin/gssproxy --interactive --debug --debug-level=3 --socket=/run/gssproxy.sock [2021/06/30 14:34:14]: Debug Enabled (level: 3) [2021/06/30 14:34:14]: Keytab /etc/krb5.keytab has no content (-1765328203) [2021/06/30 14:34:14]: Service: nfs-server, Enckey: [ephemeral], Enctype: 18 [2021/06/30 14:34:14]: Client [2021/06/30 14:34:14]: (/usr/sbin/gssproxy) [2021/06/30 14:34:14]: connected (fd = 12)[2021/06/30 14:34:14]: (pid = 3428) (uid = 0) (gid = 0)Segmentation fau lt (core dumped) [ Where problems could occur ] * The backported patch is simple and it is very unlikely that it will introduce a regression. * As usual, it is always risky to rebuild a package that hasn't been touched for more than 1 year, albeit in this case the risk is very low because the package is not very complex. [ Original Description ] I have apache configured to perform a kerberized NFS4 mount using rpc.gssd and gssproxy. If I request a web page that requires NFS4 access, then gssproxy crashes, reporting a segfault in libselinux.so.1 and the web request generates a 403 error. gssproxy[6267]: segfault at 0 ip 00007f2f5bb1951a sp 00007ffe861da150 error 4 in libselinux.so.1[7f2f5bb0d000+25000] If I run gssproxy at debug level = 3, and then load a web page, I can see the uid/principal request for www-data come in from rpc.gssd: # gssproxy -d --debug-level=3 -i -C /etc/gssproxy [2018/08/22 17:51:40]: Debug Enabled (level: 3) [2018/08/22 17:52:06]: Client [2018/08/22 17:52:06]: (/usr/sbin/rpc.gssd) [2018/08/22 17:52:06]: connected (fd = 10)[2018/08/22 17:52:06]: (pid = 4548) (uid = 33) (gid = 33)Segmentation fault (core dumped) Since gssproxy is required to initiate kerberos principals for any local application services - Ubuntu 18.04 does not currently support running application services with NFS4 kerberos dependencies. This has a fairly significant impact on anyone attempting to implement kerberos on Ubuntu 18.04 Ubuntu 18.04.1 LTS gssproxy 0.8.0-1 libselinux1:amd64 2.7-2build2 libgssrpc4:amd64 1.16-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gssproxy/+bug/1788459/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
