On Wed, 2013-10-30 at 10:22 +0100, Ivo De Decker wrote: > Hi Andrew, > > On Wed, Oct 30, 2013 at 11:34:25AM +1300, Andrew Bartlett wrote: > > > That'll also cause some confusion though, as those files will be in > > > sysstatedir on debian but in privatedir on other systems... > > > > I'm not sure that will work either. There are really only 3 databases > > that matter, because schannel_store.tdb will eventually regenerate > > (client machines forced to 'log in' with a NETLOGON > > serverAuthenticate). > > > > passdb.tdb, secrets.tdb, idmap2.tdb. > > We don't necessarily need to move them all at the same time (although moving > only some of them would probably cause even more confusion). > > > passdb.tdb is what is tripping us up and got us here, but secrets.tdb > > will cause us more pain in 'fixing' this. > > > > The issue is secrets.tdb must be in the same directory as secrets.ldb, > > because we keep them in sync when secrets.ldb is updated. This allows > > -P to work in tools no matter the code origin. > > Is secrets.tdb used outside of smbd? The only case I know of is smbpasswd, > running as root, so that shouldn't be an issue. If there are no other uses > outside smbd, there is no race condition when we move it in samba.postinst, > because smbd won't be running.
Yes, it is. Any passdb interaction will first try to generate a domain SID in secrets.tdb. > As for idmap2.tdb, it seems that's only being used from winbindd, and from the > net command, running as root. So if we move that in winbind.postinst, it > should be fine too. That is much more likely to be safe. > If these assumptions are correct (can someone confirm that?), we only need to > deal with passdb.tdb. If we can find a way to work around that race condition, > we could do that move as well. Could we ensure the pam module is disabled in .preinst and conditionally re-installed in a .postinst? Also, is this .postinst on the right package anyway? Shouldn't it be on whatever package actually references passdb.tdb, such as samba-libs (presumably that owns libpdb)? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org