Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
mit-krb5-1.4.1 breaks Samba 3.0.14a in ADS mode, see bug #98303. Downgrading to mit-krb5-1.3.6-r2 solves the problem. I know it's a security risk, but the other option is a system that is *broken*. Now 1.3.6-r2 disappeared from the portage tree -> no way for people to get their systems working again. Reproducible: Always Steps to Reproduce: Please see bug #98303 Actual Results: Cannot downgrade to get Samba working in ADS mode again. Expected Results: Fix Samba with krb-1.4.1; in the meantime, keep 1.3.6-r2 around.
I'm not sure, but this may have to do with the following MAJOR security breach in this package -- just resolved today: http://bugs.gentoo.org/show_bug.cgi?id=98799
Well, for me a non-working system is a more severe breakage than a security hole in a network I trust 98%. I *cannot* run use mit-krb-1.4.1 unless the Samba issue is fixed. This is *critical* in my production environment.
mit-krb5-1.4.1-r2 does *not* fix the Samba problem!
Grab it from WebCVS and put it into your overlay if you want it... http://www.gentoo.org/cgi-bin/viewcvs.cgi/app-crypt/mit-krb5/
I managed to get it back from one of my servers that was not synced yet. Now, I do understand you'd want the new version out ASAP, but if we need to have samba working with krb, are those of us supposed to find out and do it manually like I did? I can't really decide here, but I think pulling the old version completely was not the best move. Convince me otherwise .-/
BTW: Can no longer build PHP with kerberos support with 1.4.1.
(In reply to comment #6) > BTW: Can no longer build PHP with kerberos support with 1.4.1. Quick aside: I'm having this as well. I've seen one similar forum thread so far, but I think the recent upgrade has made it more wide-spread now.
(In reply to comment #6) > BTW: Can no longer build PHP with kerberos support with 1.4.1. This is really not much productive to moan here... I don't know if there is a bug open for the PHP problem; if not, then open a new bug and post the error messages and whatnot there, please.
Wrt comment #6 and comment #7: does Bug 98842 describe the problem w/ PHP and new mit-krb5 version?
Well, it does not build with -kerberos, either. Complains about libcrpyto. But set that aside, as it is not the main problem here. (Yet :-)
To #9: Yes I guess it does. Looks like what I get.
What didn't work was building with -kerberos in package.use
My fault. Workaround in #98842 is viable.
(In reply to comment #9) > Wrt comment #6 and comment #7: does Bug 98842 describe the problem w/ PHP and > new mit-krb5 version? Yes, this describes the PHP problem perfectly. The key error is in the config file: --------------- /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.5-20050130/../../../../i686-pc-linux-gnu/bin/ld: cannot find -lgssapi collect2: ld returned 1 exit status --------------- The line: cannot find -lgssapi appears to be the key problem (part of the kerberos package). Removing the kerberos USE flag from the build compiles the package perfectly for me. I'll add to that bug as well.
(In reply to comment #8) > (In reply to comment #6) > > BTW: Can no longer build PHP with kerberos support with 1.4.1. > > This is really not much productive to moan here... FYI: I only wanted to quickly let you know that it appears the new package may be affecting more than this bug here...
Wgi, give me a few hours to sort out samba + mit 1.4.1. I'm sorry for your inconvenience (I really am!). If I'm unable to put a fix out, I'll backport the security fixes on 1.3.6 and put out 1.3.6-r3 for you. I'm only asking that you bear with me for a few hours. *** This bug has been marked as a duplicate of 98303 ***
Of course. Thanks a lot for the effort!
