[Pkg-samba-maint] Bug#649265: winbind: add wins to nsswitch.conf

Steve Langasek vorlon at debian.org
Mon Nov 21 16:13:48 UTC 2011

On Sun, Nov 20, 2011 at 06:09:22PM +0900, Osamu Aoki wrote:
> On Sat, Nov 19, 2011 at 11:36:52AM -0800, Steve Langasek wrote:

> > The current mechanism used by libnss-mdns for updating /etc/nsswitch.conf is
> > not policy-compliant. 

> Is it?

> Actually, I initially thought it was not policy-compliant without
> looking into facts.  But /etc/nsswitch.conf does not look like conffile.
> It is a generated file by base-files.postinst.  So, as long as
> base-files and libnss-mdns maintainers cordinate each other, I see
> no problem in terms of policy.

a) they don't coordinate
b) this config file is initially populated by base-files, but it's
configuration for libc, not for base-files, and there's no coordination
being done with glibc
c) the policy requirement is not just that they coordinate, but that they
use a *standard programmatic interface* for updating the config file:

     If it is desirable for two or more related packages to share a
     configuration file _and_ for all of the related packages to be able to
     modify that configuration file, then the following should be done:
     1.   One of the related packages (the "owning" package) will manage
          the configuration file with maintainer scripts as described in
          the previous section.
     2.   The owning package should also provide a program that the other
          packages may use to modify the configuration file.
     3.   The related packages must use the provided program to make any
          desired modifications to the configuration file.  They should
          either depend on the core package to guarantee that the
          configuration modifier program is available or accept gracefully
          that they cannot modify the configuration file if it is not.
          (This is in addition to the fact that the configuration file may
          not even be present in the latter scenario.)

d) the current semantics of libnss-mdns are not at all scalable and need
some serious reworking before they could be made a standard process.

> > but I won't perpetuate the
> > policy-violating modification of another package's config file.

> user and group management via libpam-winbind package on windows
> dominated world still seems good idea.

Yes, and we already integrate with PAM and would gladly integrate with
nsswitch - but more infrastructure is needed first.

On Mon, Nov 21, 2011 at 07:06:08AM +0100, Christian PERRIER wrote:

> Oh, doh. Shouldn't it be a conffile anyway?

Absolutely not!

> As a local admin, I would hate seeing my carefully crafted nsswitch.conf
> file broken by packages' updates just because "it is policy-compliant as
> this is not a conffile".

The fact that you intend to "carefully craft" it is proof that it should not
be a conffile.  Files should only be marked conffiles if in the vast
majority of cases the file will not need to be changed (by either the
package maintainer or the admin).

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-samba-maint mailing list