[Pkg-freeipa-devel] Bug#1016126: freeipa-server required libndr.so.1 and it's present only on Debian stable version

Michael Tokarev mjt at tls.msk.ru
Sat Aug 3 15:57:28 BST 2024


On Wed, 27 Jul 2022 16:30:20 +0000 Lucas Castro <lucas at gnuabordo.com.br> wrote:
> Package: freeipa-server
> Version: 4.9.8-1+exp1
> Severity: grave
> Justification: renders package unusable
> X-Debbugs-Cc: lucas at gnuabordo.com.br
> 
> Dear Maintainer,
> 
> *** Reporter, please consider answering these questions, where appropriate ***
> 
>    * What led up to the situation?
> 
> I tried to install freeipa-server just for testing environment.
> The environment is Debian fresh installation in lxc container.
> 
> Installation ends up with an error when it try to create the REALM 
> kdb5_util: Unable to load requested database module 'ipadb.so': plugin symbol 'kdb_function_table' not found while creating database '/var/lib/krb5kdc/principal'
> 
> So I investigated the library required by ipadb.so 
> ldd /usr/lib/x86_64-linux-gnu/krb5/plugins/kdb/ipadb.so
>  it's noticed libndr.so.1 is required and not present. 
>  The required library is present by samba-libs on Debian bullseye, the
>  stable version by now. 
> 
>  Unstable and Sid version install libndr.so.2 in turn. 

This is an old issue.

libndr comes from samba, and there, it is NOT a public library.

However, several packages started using it, notable freeipa and sssd.
I knew about sssd, but didn't know about freeipa.

In debian bookworm, libndr was just one of many libraries in samba-libs
package.  Upstream freely bumps soname of this library.  And we never
noticed such updates, - when you build package with libndr from
bookworm, its dependency records "samba-libs (>= bookworm-version)",
which is obviously satisfyable with samba-libs from trixie with
libndr.so.2 or .3, - which is obviously wrong, since the package
needs libndr.so.1.

Later, with more recent samba versions, I made it more or less separate,
so if a package actually uses libndr, it gets recorded the correct
dependency.  And a more recent samba might break such package, requiring
it to be rebuilt.

So today, just a rebuild of freeipa with current samba-libs (samba-dev)
will get the dependencies correctly.  However, I can't retrospectively
rebuild freeipa in bookworm with correct deps (esp. since samba in
bookworm wont generate these deps anyway).

I guess I can add Breaks: freeipa (<= bookworm) to more recent samba-libs
to fix this.

/mjt



More information about the Pkg-freeipa-devel mailing list