(Debian Maintainer here)
If no one comes with a good reason to have winbind listed before compat
(or before files) in nsswitch.conf, I'll add a mandatory check for this
during install or upgrade of libwbclient0 and libnss-winbind.
NB: Maybe this bug should be reopened as the proposed fix was
I have a zesty VM and /tmp is not even in a different mountpoint: it's
part of /. Did you partition your machine manually and mounted /tmp with
noexec?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
I have a zesty VM and /tmp is not even in a different mountpoint: it's
part of /. Did you partition your machine manually and mounted /tmp with
noexec?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Note that when I updated Ubuntu 17.04 to the package referenced by this
bug, it gave an error during install, due to the fact that /tmp is
mounted as noexec in ubuntu 17.04:
Preconfiguring packages ...
Can't exec "/tmp/samba-common.config.YEmyIi": Permission denied at
Marking as incomplete because of comment #43
** Changed in: samba (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Reopened the artful (devel) task, as the patch was reverted in 2:4.5.8
+dfsg-2ubuntu2
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security
Marking as incomplete because of comment #43
** Changed in: samba (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to
Revised fix-1584485.patch that includes a missing library in the static
build to fix bug #1677329. Patch submitted upstream to samba-technical
awaiting feedback.
** Patch added: "fix-1584485-take2.patch"
Reopened the artful (devel) task, as the patch was reverted in 2:4.5.8
+dfsg-2ubuntu2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together
Revised fix-1584485.patch that includes a missing library in the static
build to fix bug #1677329. Patch submitted upstream to samba-technical
awaiting feedback.
** Patch added: "fix-1584485-take2.patch"
The patch was reverted in artful, and will be reverted for the other
affected releases because of the regression it introduced: bug #1677329,
bug #1644428
Feedback from upstream was requested: https://lists.samba.org/archive
/samba-technical/2017-June/121139.html
--
You received this bug
The patch was reverted in artful, and will be reverted for the other
affected releases because of the regression it introduced: bug #1677329,
bug #1644428
Feedback from upstream was requested: https://lists.samba.org/archive
/samba-technical/2017-June/121139.html
--
You received this bug
I can confirm the problem reported originally in this bug (all those
segfaults after the upgrade) only happen if you have winbind listed
first, ahead of files or compat.
Any particular reason why that order was chosen? There will for sure be
a "blip" in the winbind service during the upgrade, and
I can confirm the problem reported originally in this bug (all those
segfaults after the upgrade) only happen if you have winbind listed
first, ahead of files or compat.
Any particular reason why that order was chosen? There will for sure be
a "blip" in the winbind service during the upgrade, and
This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.4
---
samba (2:4.3.11+dfsg-0ubuntu0.14.04.4) trusty-security; urgency=medium
* SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
- debian/patches/CVE-2016-2123.patch: check lengths in
The xenial package for libpam-winbind from -proposed is broken as well.
So I recommend stopping it before it gets to -updates (or whatever).
I will not check the package for yaketty, but I don't see why it should
be working when trusty and xenial are broken.
Is there anything I can do to help
** Attachment added: "/var/log/samba/log.wb-MYAD"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783094/+files/log.wb-MYAD
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "/var/log/samba/log.winbindd"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783093/+files/log.winbindd
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Here is the relevant part from auth.log, which imho has a misleading
error message.
** Attachment added: "/var/log/auth.log"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783092/+files/auth.log
--
You received this bug notification because you are a member of
** Attachment added: "/etc/nsswitch.conf"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783062/+files/nsswitch.conf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Our setup is the following:
- The ubuntu client is joined to a MS-AD-Domain (called 'MYAD' here)
- Users from the domain can log via winbind using their domain credentials
- Winbind is set up to use cached logins (which I think is irrelevant here)
- nsswitch uses compat first, winbind then
I will
** Attachment added: "/etc/pam.d/common-password"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783048/+files/common-password
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "/etc/pam.d/common-session"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783046/+files/common-session
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "/etc/pam.d/common-auth"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783044/+files/common-auth
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "/etc/pam.d/common-account"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783045/+files/common-account
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Attachment added: "/etc/security/pam_winbind.conf"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783043/+files/pam_winbind.conf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
- [Test Case]
+ [Test Case 1]
+
+
I have not had the time yet to check the libpam-winbind module in
xenial. But since the patch looks identical from the first look, You
might want to delay it's migration from -proposed until someone has
checked that the module is still working.
I'll try to find time for this tomorrow, but it's
Reopening for trusty as the change was reverted in bug 1644428.
** Changed in: samba (Ubuntu Trusty)
Status: Fix Released => In Progress
** Tags removed: verification-done-trusty
** Tags added: verification-failed
** Tags removed: verification-needed
--
You received this bug
@euhus-liste1, @ian-gordon,
- Could you please describe the error that you are experiencing (provide
logs, your configuration, etc) in order to replicate the issue?
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hello,
this change breaks PAM authentification via libpam-winbind completely in
trusty. I have just checked it with a fresh install.
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1644428
Have you tried using libpam-winbind after making this change?
Regards,
Robert Euhus
--
You
With version 2:4.3.11+dfsg-0ubuntu0.14.04.2 installed libpam-winbind no longer
talks to winbind
This means all authentication which involves PAM is failing for us. I have
reverted to 2:4.3.11+dfsg-0ubuntu0.14.04.1 temporarily.
Is there anything I can do to help you debug this problem?
--
You
This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.2
---
samba (2:4.3.11+dfsg-0ubuntu0.14.04.2) trusty; urgency=medium
* d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
to be statically linked fixes LP: #1584485.
* d/rules: Compile
OK, I have verified that the trusty-proposed version fixes the reported
issue.
The steps ran for verification:
1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in
/etc/apt/sources.list
4) sudo
Hello Rafael, or anyone else affected,
Accepted samba into trusty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-
0ubuntu0.14.04.2 in a few hours, and then in the -proposed repository.
Please help us by testing this new package.
Hello Rafael, or anyone else affected,
Accepted samba into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-
0ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.
Please help us by testing this new package.
Hello Rafael, or anyone else affected,
Accepted samba into yakkety-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/samba/2:4.4.5+dfsg-
2ubuntu5.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
This bug was fixed in the package samba - 2:4.4.5+dfsg-2ubuntu6
---
samba (2:4.4.5+dfsg-2ubuntu6) zesty; urgency=high
* d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
to be statically linked fixes LP: #1584485.
* d/rules: Compile winbindd/winbindd statically.
** Changed in: samba (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
** Also affects: samba (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
** Patch added: "Xenial Patch for 1584485"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4763313/+files/fix-1584485-xenial.debdiff
** Patch removed: "trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff"
** No longer affects: samba (Ubuntu Precise)
** Changed in: samba (Ubuntu Xenial)
Status: New => In Progress
** Changed in: samba (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: samba (Ubuntu Xenial)
Assignee: (unassigned) => Jorge Niedbalski (niedbalski)
** Patch
Hello,
I've modified the building scripts for compiling libnss-winbind and
libpam-winbind statically against the samba-libs as was suggested by
@infinity.
This fix seems to resolve the issue reported on this bug, and the reproducer is
not
longer experienced.
With the patch applied:
** Also affects: samba (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: samba (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: samba (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: samba (Ubuntu Yakkety)
** Description changed:
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
- * Comment #1 (to
Debian Bug :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287
** Bug watch added: Debian Bug tracker #833287
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: samba (Ubuntu)
Assignee: Rafael David Tinoco (inaddy) => Louis Bouchard (louis-bouchard)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest
Unsubscribing sponsors until a more viable approach appears. Good luck!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind
[12:50] tinoco: The "disable in samba-libs preinst, reenable in
samba-libs postinst" approach would also work, but it's (a) potentially very
brittle, and (b) likely next to impossible to do for pam-winbind (which
probably suffers the same issue as nss-winbind).
[12:51] infinity: my hope was
[12:43] tinoco: pam-winbind and nss-winbind.
[12:43] tinoco: perhaps file a debian bug also?
[12:44] definitely. the proposal was to bring the discussion only
[12:44] tinoco: Only statically linked to samba-libs, of course.
You still want to be dynamically linked to any properly-versioned
I don't believe the debdiffs provide a valid solution to this issue.
Here is an irc discussion with infinity where he presented a better
solution:
infinity: I'd appreciate your thoughts on the best way to address
bug 1584485
infinity: that approach doesn't look sane to me, do you have any
This isn't a security regression, it's a samba package upgrade issue
that also applies for regular updates. I believe this should be handled
as a SRU.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
unsubscribing the normal sponsors since that should go through security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
To manage
** Changed in: samba (Ubuntu)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
** Patch added: "wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669816/+files/wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Patch added: "trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669815/+files/trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Patch added: "yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669818/+files/yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff
** Description changed:
+ [Impact]
+
+ * Upgrading samba when using winbind as NSS can lead to
** Patch added: "xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff"
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669817/+files/xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
According to document:
https://wiki.debian.org/MaintainerScripts
I added constrains on letting upgrade to happen for:
libnss-winbind
libpam-winbind
libwbclient0
samba-dsdb-modules
samba-libs
samba
winbind
When winbind is enabled in either /etc/nsswitch.conf or in /etc/pam.d/*
files.
So,
$ sudo apt-get --only-upgrade install samba
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libhdb9-heimdal libkdc2-heimdal libntdb1 python-ntdb
Use 'apt-get autoremove' to
After upgrade process fails, all programs executing libc functions
depending on NSS will fail:
inaddy@workstation:~/bugs/winbindsegfault/crashes$ ls -ltr
total 1024
-rw--- 1 inaddy inaddy 52309 May 21 20:06 winbind.0.crash
-rw--- 1 inaddy inaddy 52717 May 21 20:06
A mechanism to remove winbind from /etc/nsswitch.conf before samba
upgrades (since libnss-winbind is kept apart from packages "samba" and
"samba-libs"), OR to fail the upgrade if winbind is being used, should
exist to prevent such a bad thing to happen.
--
You received this bug notification
## state
inaddy@winbindsegfault:~$ dpkg -l | grep -i samba
iU libnss-winbind:amd64
2:4.3.9+dfsg-0ubuntu0.14.04.1amd64Samba nameservice integration
plugins
ii libwbclient0:amd64
2:4.1.6+dfsg-1ubuntu2.14.04.13
64 matches
Mail list logo
