Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#833287: samba: Upgrading samba with winbind in nsswitch.conf can harm entire OS
66 views
Skip to first unread message
Eric Desrochers
Aug 2, 2016, 10:30:04 AM8/2/16
to
Package: samba
Severity: normal
Dear Maintainer,
Upgrading samba when using winbind as NSS service can break OS. Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. Huge impact due to big version different between winbind and libraries.
The upgrade doesn't complete and segfault.
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
$ sudo apt-get update
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version.
We believe the problem is due to a lack of sane ABI versioning on "samba-libs" and, thus, incorrectly weak deps between libnss-winbind and samba-libs.
The more robust solution might just be for libnss-winbind and libpam-winbind to be statically linked to samba-libs.
-- System Information:
Debian Release: 8.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-17-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Severity: normal
Dear Maintainer,
Upgrading samba when using winbind as NSS service can break OS. Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. Huge impact due to big version different between winbind and libraries.
The upgrade doesn't complete and segfault.
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
$ sudo apt-get update
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version.
We believe the problem is due to a lack of sane ABI versioning on "samba-libs" and, thus, incorrectly weak deps between libnss-winbind and samba-libs.
The more robust solution might just be for libnss-winbind and libpam-winbind to be statically linked to samba-libs.
-- System Information:
Debian Release: 8.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-17-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Mathieu Parent
Apr 10, 2018, 3:30:03 PM4/10/18
to
Hi,
If no one comes with a good reason to have winbind listed before
compat (or before files) in nsswitch.conf, I'll add a mandatory check
for this during install or upgrade of libwbclient0 and libnss-winbind.
Regards
--
Mathieu Parent
If no one comes with a good reason to have winbind listed before
compat (or before files) in nsswitch.conf, I'll add a mandatory check
for this during install or upgrade of libwbclient0 and libnss-winbind.
Regards
--
Mathieu Parent
Andrew Bartlett
Oct 23, 2022, 4:40:04 PM10/23/22
to
https://bugzilla.samba.org/show_bug.cgi?id=14780 has the correct fix
for this, and this change landed in Samba 4.16.
This is a much harder bug to solve properly than it looks, but once
solved properly we should have proper static plugins that won't fail
during upgrades as they will be self-contained.
Andrew,
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
for this, and this change landed in Samba 4.16.
This is a much harder bug to solve properly than it looks, but once
solved properly we should have proper static plugins that won't fail
during upgrades as they will be self-contained.
Andrew,
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
0 new messages