Fedora has issued an advisory on February 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GK5T6JPMBHBPKS7HNGHYUUF4KKRMNSNU/ Mageia 5 is also affected. Patched packages uploaded for Mageia 6 and Cauldron. It would be nice to fix Mageia 5, but the patch for krb5 1.15.x needs to be rediffed for 1.12.x. The RedHat bug says CVE-2018-5710, but it sounds like that is fixed in this patch. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client (CVE-2018-5710, CVE-2018-5729, CVE-2018-5730). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5730 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GK5T6JPMBHBPKS7HNGHYUUF4KKRMNSNU/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.15.1-2.3.mga6 libkrb53-devel-1.15.1-2.3.mga6 libkrb53-1.15.1-2.3.mga6 krb5-server-1.15.1-2.3.mga6 krb5-server-ldap-1.15.1-2.3.mga6 krb5-workstation-1.15.1-2.3.mga6 krb5-pkinit-openssl-1.15.1-2.3.mga6 from krb5-1.15.1-2.3.mga6.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Krb5
Keywords: (none) => has_procedure
Looking at this on Mageia 6 64-bit and have run into the infamous "forward and reverse DNS settings do not match" message. The wiki suggests calling for help on QA Discuss. Is that still the way to go? How difficult is it to modify the test to work across several (aka 2) computers?
CC: (none) => tarazed25
Thanks for the forwarded message David (?) One hour in and still no bind server. It would not restart after the configuration files were edited or written. After a reboot the system status looked like this. Might as well be written in Sanskrit. ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2018-02-26 17:34:01 GMT; 1min 43s ago Process: 5865 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin Feb 26 17:34:01 difda bash[5865]: zone zuba.poseidon/IN: not loaded due to errors. Feb 26 17:34:01 difda bash[5865]: _default/zuba.poseidon/IN: not at top of zone Feb 26 17:34:01 difda bash[5865]: zuba.poseidon.reverse.conf:3: SOA record not at top of zone (1.168 Feb 26 17:34:01 difda bash[5865]: zone 1.168.192.in-addr.arpa/IN: loading from master file zuba.pose Feb 26 17:34:01 difda bash[5865]: zone 1.168.192.in-addr.arpa/IN: not loaded due to errors. Feb 26 17:34:01 difda bash[5865]: _default/1.168.192.in-addr.arpa/IN: not at top of zone Feb 26 17:34:01 difda systemd[1]: named.service: Control process exited, code=exited status=1 Feb 26 17:34:01 difda systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). Feb 26 17:34:01 difda systemd[1]: named.service: Unit entered failed state. Feb 26 17:34:01 difda systemd[1]: named.service: Failed with result 'exit-code'. ~ Looks like this is a career job.
With some expert help from Dave Hodgins I managed to get bind working. The named service is running fine now but returning to $ sudo ~/bin/krb5_server_setup.sh $USER returns the error message "Checking dns setup for difda Forward and reverse dsn settings for difda DO NOT MATCH!" For the purposes of this test this machine had been given a new identity so after changing the hostname to zuba.poseidon and logging out and in: $ sudo ~/bin/krb5_server_setup.sh $USER "Checking dns setup for zuba.poseidon Forward and reverse dsn settings for zuba.poseidon DO NOT MATCH!" $ dig zuba.poseidon ; <<>> DiG 9.10.6-P1 <<>> zuba.poseidon ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5350 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;zuba.poseidon. IN A ;; ANSWER SECTION: zuba.poseidon. 0 IN A 81.200.64.50 ;; Query time: 12 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Feb 27 08:05:32 GMT 2018 ;; MSG SIZE rcvd: 58 The answer section gives the address of my IP, virginmedia, and shows the router as the DNS server. That is what dig returns on all my machines.
$ nslookup mageia.com 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: mageia.com Address: 184.168.221.19 $ nslookup zuba.poseidon 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 *** Can't find zuba.poseidon: No answer $ ping zuba.poseidon PING zuba.poseidon (192.168.1.103) 56(84) bytes of data. 64 bytes from zuba.poseidon (192.168.1.103): icmp_seq=1 ttl=64 time=0.053 ms 64 bytes from zuba.poseidon (192.168.1.103): icmp_seq=2 ttl=64 time=0.026 ms 64 bytes from zuba.poseidon (192.168.1.103): icmp_seq=3 ttl=64 time=0.017 ms $ nslookup 192.168.1.103 Server: 192.168.1.1 Address: 192.168.1.1#53 ** server can't find 103.1.168.192.in-addr.arpa: NXDOMAIN $ nslookup 103.1.168.192 Server: 192.168.1.1 Address: 192.168.1.1#53 ** server can't find 192.168.1.103.in-addr.arpa: NXDOMAIN
For a machine, can you change the DNS server settings to 192.168.1.103 ( named server )? Can you attach Or send email with the named configuration files ir error persists??
CC: (none) => neoser10
The files in use just now were based on those of Dave Hodgins and were successful in getting the bind/named server to start. Not sure how to change the DNS server on the machine in question. Sending the files later - have to go out right now. Thanks Len
Re comment 6: These sections were added to /etc/named.conf zone "zuba.poseidon" IN { type master; file "zuba.poseidon.zone.conf"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "zuba.poseidon.reverse.conf"; allow-update { none; }; }; Posting the /var/named config files as attachments.
Created attachment 10007 [details] reverse.conf file from /var/named/
Created attachment 10008 [details] zone.conf file from /var/named/
(In reply to Len Lawrence from comment #7) > Not sure how to change the DNS server on the machine in question. Add a line to the head file ... # head -n 3 /etc/resolvconf/resolv.conf.d/head # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 That's for the system running named. For vb guests or other systems on the same lan, replace 127.0.0.1 with the ip address of that system. Ignore the comment in the head file. It's one of the files used to create /etc/resolv.conf, which is what the system actually uses. Then run # systemctl restart resolvconf.service To confirm the localhost bind server is being used ... # dig mageia.org|grep SERVER ;; SERVER: 127.0.0.1#53(127.0.0.1)
CC: (none) => davidwhodgins
Thanks yet again. Followed those instructions: # dig mageia.org | grep SERVER ;; SERVER: 127.0.0.1#53(127.0.0.1) Restarted named.service to be on the safe side. # bin/krb5_server_setup.sh $USER Checking dns setup for zuba.poseidon Forward and reverse dsn settings for zuba.poseidon DO NOT MATCH!
The other point which puzzles me is this m6 thing. $ nslookup zuba.poseidon 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 *** Can't find zuba.poseidon: No answer [lcl@zuba ~]$ nslookup m6.zuba.poseidon 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 Name: m6.zuba.poseidon Address: 192.168.1.103 What does the m6 mean in reverse.conf? Where does it come from? Tried removing it altogether and restarting named and resolveconf. $ nslookup zuba.poseidon 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 *** Can't find zuba.poseidon: No answer $ nslookup m6.zuba.poseidon 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 Name: m6.zuba.poseidon Address: 192.168.1.103
In mcc, exactly in configure ethernet interfaces, exists the DNS server 1 and 2, only is required changes to that options and restart If are using m$, i do not know how todo I am testing your configuration files and krb to see if the same error is shown Drive.google.com/open?id=145vVnYQydujU804uuijV6Ii0iIFib00B Attached the mcc configutration
Advisory uploaded.
Keywords: (none) => advisory
Tried the suggestions in comment 14 but got nowhere. Sorry to say; having to drop this one - depending too heavily on other people's knowledge, which is not fair to them. Over to whoever.
I'll need to rewrite the instructions to make them easier to follow. In the mean time I've gone ahead and tested this on Mageia 6 x86_64. Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0155.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED