[Pkg-samba-maint] Bug#726472: Bug#726472: share passwords not working after upgrade from samba3

Andrew Bartlett abartlet at samba.org
Wed Oct 30 20:26:43 UTC 2013 

On Wed, 2013-10-30 at 10:22 +0100, Ivo De Decker wrote:
> Hi Andrew,
> 
> On Wed, Oct 30, 2013 at 11:34:25AM +1300, Andrew Bartlett wrote:
> > > That'll also cause some confusion though, as those files will be in
> > > sysstatedir on debian but in privatedir on other systems...
> > 
> > I'm not sure that will work either.  There are really only 3 databases
> > that matter, because schannel_store.tdb will eventually regenerate
> > (client machines forced to 'log in' with a NETLOGON
> > serverAuthenticate). 
> > 
> > passdb.tdb, secrets.tdb, idmap2.tdb. 
> 
> We don't necessarily need to move them all at the same time (although moving
> only some of them would probably cause even more confusion).
> 
> > passdb.tdb is what is tripping us up and got us here, but secrets.tdb
> > will cause us more pain in 'fixing' this.  
> > 
> > The issue is secrets.tdb must be in the same directory as secrets.ldb,
> > because we keep them in sync when secrets.ldb is updated.  This allows
> > -P to work in tools no matter the code origin. 
> 
> Is secrets.tdb used outside of smbd? The only case I know of is smbpasswd,
> running as root, so that shouldn't be an issue. If there are no other uses
> outside smbd, there is no race condition when we move it in samba.postinst,
> because smbd won't be running.

Yes, it is.  Any passdb interaction will first try to generate a domain
SID in secrets.tdb.

> As for idmap2.tdb, it seems that's only being used from winbindd, and from the
> net command, running as root. So if we move that in winbind.postinst, it
> should be fine too.

That is much more likely to be safe. 

> If these assumptions are correct (can someone confirm that?), we only need to
> deal with passdb.tdb. If we can find a way to work around that race condition,
> we could do that move as well.

Could we ensure the pam module is disabled in .preinst and conditionally
re-installed in a .postinst?

Also, is this .postinst on the right package anyway?  Shouldn't it be on
whatever package actually references passdb.tdb, such as samba-libs
(presumably that owns libpdb)?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the Pkg-samba-maint mailing list