[Pkg-samba-maint] Bug#833287: samba: Upgrading samba with winbind in nsswitch.conf can harm entire OS
Eric Desrochers
eric.desrochers at canonical.com
Tue Aug 2 14:19:20 UTC 2016
Package: samba
Severity: normal
Dear Maintainer,
Upgrading samba when using winbind as NSS service can break OS. Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf. Huge impact due to big version different between winbind and libraries.
The upgrade doesn't complete and segfault.
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
$ sudo apt-get update
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version.
We believe the problem is due to a lack of sane ABI versioning on "samba-libs" and, thus, incorrectly weak deps between libnss-winbind and samba-libs.
The more robust solution might just be for libnss-winbind and libpam-winbind to be statically linked to samba-libs.
-- System Information:
Debian Release: 8.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-17-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Pkg-samba-maint
mailing list