Package: libnss-ldapd Version: 0.6.7.1 Severity: grave Justification: causes non-serious data loss
Hello. I've got a problem with libnss-ldpad package. In my environment, any (non-root) local user can break normal work of any other user. The problem is, nss-ldapd makes strange things with case of uids. For example: bash$ id uid=NNN(sasha) gid=ZZZ(zzz) groups=... bash$ id SasHa uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id sasha uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id uid=NNN(SasHa) gid=ZZZ(zzz) groups=... So, nss now thinks that I'm SasHa, not sasha. As a result, when I run "ssh otherhost" it does not work (just because pam can't authorise SasHa, it knows only sasha). In the same way, all other Kerberos services stop working for me. I see 2 problems here: 1. The only way to "revert" me from SasHa back to sasha is LONG timeout or "nscd -i passwd" from root. Both ways may be unavailable. 2. ANY USER may call "id SasHa" on this machine, and the other user will get his things broken. Looking on changelog, I see this problem fixed in version 0.6.11: Changes: This release fixes a couple of bugs in the username to group mapping and a problem with too many uidNumber or uidNumber attributes in the LDAP server. Name lookups are now also case-sensitive for group, netgroup, passwd, protocols, RPC, services, and shadow maps. I've tried libnss-ldapd=0.7.1 (sources from sid, compiled on lenny) and it works perfectly. It will be nice to get this problem fixed in the next stable update. Thank you for your work, Alexandra. -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-ldapd depends on: ii adduser 3.110 add and remove users and groups ii debconf [debcon 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra Versions of packages libnss-ldapd recommends: ii libpam-ldap 184-4.2 Pluggable Authentication Module fo ii nscd 2.7-18 GNU C Library: Name Service Cache libnss-ldapd suggests no packages. -- debconf information: * libnss-ldapd/ldap-base: dc=oktetlabs,dc=ru * libnss-ldapd/nsswitch: passwd, group, shadow * libnss-ldapd/ldap-binddn: * libnss-ldapd/ldap-uris: ldap://ldap.oktetlabs.ru/ ldap://ldaps.oktetlabs.ru/ libnss-ldapd/clean_nsswitch: false -- Alexandra N. Kossovsky OKTET Labs (http://www.oktetlabs.ru/) Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office) e-mail: sa...@oktetlabs.ru -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org