[Pkg-samba-maint] Bug#833287: samba: Upgrading samba with winbind in nsswitch.conf can harm entire OS

Eric Desrochers eric.desrochers at canonical.com
Tue Aug 2 14:19:20 UTC 2016

Package: samba
Severity: normal

Dear Maintainer,

Upgrading samba when using winbind as NSS service can break OS. Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. Huge impact due to big version different between winbind and libraries.
The upgrade doesn't complete and segfault.

How to reproduce easily:

$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat

(winbind is usually used after compat, in this case it was used before)

$ sudo apt-get update


DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version.

We believe the problem is due to a lack of sane ABI versioning on "samba-libs" and, thus, incorrectly weak deps between libnss-winbind and samba-libs.
The more robust solution might just be for libnss-winbind and libpam-winbind to be statically linked to samba-libs.

-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-17-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Pkg-samba-maint mailing list