[Pkg-samba-maint] Bug#1109448: unblock: samba/2:4.22.3+dfsg-4
Michael Tokarev
mjt at tls.msk.ru
Fri Jul 18 09:05:54 BST 2025
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: samba at packages.debian.org
Control: affects -1 + src:samba
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package samba
[ Reason ]
There are several changes in this debian release,
a few minor packaging fixes, a bugfix from upstream for
#1109005, and a long-forgotten fix for another issue,
which I wasn't aware of until very recently (when it
hit our setup), - #907318.
While I've no single doubt about the other changes, -
these should go in for trixie, I'm a bit uncertain about
the #907318 fix - it changes pam config for winbind (for
domain logons) to - finally - include pam-winbind in the
account section. While it works fine in our setup (where
accounting was missing for years), and while exactly the
same setup is done in sssd package (an alternative login
mechanism for active directory users), there might be some
yet unknown surprize still, which is not a good thing to
have this late in the release cycle.
Yet I think this change is worth the effort to have in
trixie (finally!).
[ Impact ]
The bugfix for #1109005 should definitely go in, without
it, a multi-site Active Directory setup is unreliable and
winbind doesn't really work if a remote site becomes
unreachable (which isn't an uncommon thing).
[ Tests ]
This release passes all the usual testing, which is not
a surprize having in mind the changes in there - which are
minor packaging fixes and a bugfix from upstream. For the
fix for #907318, - I verified it works as intended in our
setup, and I also tried a few different setups to see how
it works in other conditions, - all is working fine so far.
[ Risks ]
The only possible risky situation is with the pam-winbind
fix (#907318). However, having in mind I tested this change
in several different scenarious, and other distributions use
pam-winbind in a similar (to the new variant) way, there
should be no surprizes here.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
The "other minor packaging changes", strictly speaking,
are not exactly mandatory, - they're fixing small defects
which don't have much effect on the functionality of the
package, just makes it look less nice, so to say. Here's
a break-down for each change:
+ * d/python3-talloc.symbols.in: add forgotten epoch number for recent versions
+ (this doesn't actually affect anything since there were no new symbols with
+ these versions, but it's better to stay correct)
When introducing python3-talloc.symbols, I forgot that the recent
versions has epoch (2:). This fixes it just to match the reality,
but since there were no actual symbols introduced with these versions
of the library, this does not actually affect anything besides making
the .symbols file correct.
+ * fix python3-talloc.symbols generation to not have -debian_revision
+ or +dfsg/+samba suffix in the version number - just the epoch if any
+ and the upstream version (fix lintian error)
Another fix for python3-talloc.symbols, - wrong version number is used
for the main library version symbol. It only affects lintian (who gives
error for this).
+ * d/control: fix winbind:Enhances for libkrb5-26-heimdal which
+ is libkrb5-26t64-heimdal in trixie and up, keeping in mind possible
+ backporting to older debian/ubuntu versions (before-trixie build profile)
winbind package had Enhances: libkrb5-26-heimdal instead of the renamed
libkrb5-26t64-heimdal. It is just Enhances field, but yet it's better to
fix it. The fix is done in a way to help me with back-porting this package
to previous versions of debian (based on before-trixie build profile).
The result for trixie is just the correct libkrb5-26t64-heimdal package is
listed in Ehnances: field.
+ * debian/panic-action: make the wording more user-friendly and steer users
+ towards configuration and logs (Closes: #1089853)
Just some rewording in the script which is invoked when samba is panicking,
give a bit better idea to the user about what's going on. It come to my
attention because of a bug (#1089853) where the user interpreted a samba
panic (which was result of misconfiguration) as a bug in samba, which
actually it is not.
There's no impact of this change on regular samba operations, but in case of
any trouble, the user will have slightly better idea about what's going on.
So, all the "minor" packaging changes are really minor, there's much more
text in here describing each change than each change is worth :) But all
them makes the package just a bit better.
The debdiff is below.
Thanks,
/mjt
unblock samba/2:4.22.3+dfsg-4
diff -Nru samba-4.22.3+dfsg/debian/changelog samba-4.22.3+dfsg/debian/changelog
--- samba-4.22.3+dfsg/debian/changelog 2025-07-09 17:08:31.000000000 +0300
+++ samba-4.22.3+dfsg/debian/changelog 2025-07-17 13:52:35.000000000 +0300
@@ -1,3 +1,34 @@
+samba (2:4.22.3+dfsg-4) unstable; urgency=medium
+
+ * fix python3-talloc.symbols generation to not have -debian_revision
+ or +dfsg/+samba suffix in the version number - just the epoch if any
+ and the upstream version (fix lintian error)
+
+ -- Michael Tokarev <mjt at tls.msk.ru> Thu, 17 Jul 2025 13:52:35 +0300
+
+samba (2:4.22.3+dfsg-3) unstable; urgency=medium
+
+ [ Sascha Lucas ]
+ * winbind pam-config: fix account section to actually execute pam_winbind
+ entries after usually successful cal to pam_unix, in a way how it's done
+ in sssd (Closes: #907318)
+
+ [ Douglas Bagnall ]
+ * debian/panic-action: make the wording more user-friendly and steer users
+ towards configuration and logs (Closes: #1089853)
+
+ [ Michael Tokarev ]
+ * d/python3-talloc.symbols.in: add forgotten epoch number for recent versions
+ (this doesn't actually affect anything since there were no new symbols with
+ these versions, but it's better to stay correct)
+ * d/control: fix winbind:Enhances for libkrb5-26-heimdal which
+ is libkrb5-26t64-heimdal in trixie and up, keeping in mind possible
+ backporting to older debian/ubuntu versions (before-trixie build profile)
+ * libads-fix-get_kdc_ip_string.patch (upstream fix for #1109005)
+ (Closes: #1109005)
+
+ -- Michael Tokarev <mjt at tls.msk.ru> Tue, 15 Jul 2025 12:42:04 +0300
+
samba (2:4.22.3+dfsg-2) unstable; urgency=medium
* Revert "d/control,d/rules: ensure we use the most recent talloc/tevent/tdb"
diff -Nru samba-4.22.3+dfsg/debian/control samba-4.22.3+dfsg/debian/control
--- samba-4.22.3+dfsg/debian/control 2025-07-09 17:08:03.000000000 +0300
+++ samba-4.22.3+dfsg/debian/control 2025-07-13 12:43:43.000000000 +0300
@@ -478,7 +478,9 @@
passwd,
${misc:Depends},
${shlibs:Depends}
-Enhances: libkrb5-26-heimdal <!pkg.samba.mitkrb5>
+Enhances:
+ libkrb5-26t64-heimdal <!pkg.samba.mitkrb5 !pkg.samba.before-trixie>,
+ libkrb5-26-heimdal <!pkg.samba.mitkrb5 pkg.samba.before-trixie>,
Suggests: libnss-winbind, libpam-winbind
# 4.16.6+dfsg-5 idmap_{script,rfc2307}.8 moved samba{,-libs} => winbind
Breaks: samba (<< 2:4.16.6+dfsg-5~), samba-libs (<< 2:4.16.6+dfsg-5~),
diff -Nru samba-4.22.3+dfsg/debian/panic-action samba-4.22.3+dfsg/debian/panic-action
--- samba-4.22.3+dfsg/debian/panic-action 2025-07-09 16:54:43.000000000 +0300
+++ samba-4.22.3+dfsg/debian/panic-action 2025-07-13 12:43:43.000000000 +0300
@@ -24,12 +24,14 @@
echo "was called for PID $1 ($BINARYNAME)."
echo
- echo "This means there was a problem with the program, such as a segfault."
+ echo "This means the program found itself in a state from which it could not continue."
+ echo "It could be caused by misconfiguration, a segfault, memory allocation failure,"
+ echo "data corruption, or some other problem."
if [ -z "$BINARYNAME" ]; then
echo "However, the executable could not be found for process $1."
- echo "It may have died unexpectedly, or you may not have permission to debug"
- echo "the process."
+ echo "It may have died unexpectedly, or this script may not have permission to"
+ echo "debug the process."
exit 1
fi
@@ -43,7 +45,7 @@
echo "Below is a backtrace for this process generated with gdb, which shows"
echo "the state of the program at the time the error occurred. The Samba log"
- echo "files may contain additional information about the problem."
+ echo "files should contain additional information about the problem."
echo
echo "If the problem persists, you are encouraged to first install the"
echo "samba-dbgsym package, which contains the debugging symbols for the Samba"
diff -Nru samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch
--- samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch 1970-01-01 03:00:00.000000000 +0300
+++ samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch 2025-07-15 12:41:14.000000000 +0300
@@ -0,0 +1,36 @@
+From: Ralph Boehme <slow at samba.org>
+Date: Fri, 4 Jul 2025 17:50:40 +0200
+Subject: libads: fix get_kdc_ip_string() ...
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Bug-Debian: https://bugs.debian.org/1109005
+Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/88572cc8f629a737a1d5b33d5800f3692895233f
+Forwarded: not-needed
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15881
+
+Signed-off-by: Ralph Boehme <slow at samba.org>
+Reviewed-by: Guenther Deschner <gd at samba.org>
+
+Autobuild-User(master): Günther Deschner <gd at samba.org>
+Autobuild-Date(master): Mon Jul 7 16:46:29 UTC 2025 on atb-devel-224
+---
+ source3/libads/kerberos.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 75803500d31..145bc36cdb2 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -1230,6 +1230,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("netlogon_pings failed: %s\n", nt_errstr(status));
++ result = talloc_move(mem_ctx, &kdc_str);
+ goto out;
+ }
+
+--
+2.47.2
+
diff -Nru samba-4.22.3+dfsg/debian/patches/series samba-4.22.3+dfsg/debian/patches/series
--- samba-4.22.3+dfsg/debian/patches/series 2025-07-09 17:03:44.000000000 +0300
+++ samba-4.22.3+dfsg/debian/patches/series 2025-07-15 12:41:14.000000000 +0300
@@ -24,3 +24,4 @@
revert-ldb-use-hexchars_upper-from-replace.h.patch
replace-xpg-strerror.patch
add-support-for-bind-9.20.patch
+libads-fix-get_kdc_ip_string.patch
diff -Nru samba-4.22.3+dfsg/debian/python3-talloc.symbols.in samba-4.22.3+dfsg/debian/python3-talloc.symbols.in
--- samba-4.22.3+dfsg/debian/python3-talloc.symbols.in 2025-07-09 17:08:04.000000000 +0300
+++ samba-4.22.3+dfsg/debian/python3-talloc.symbols.in 2025-07-13 12:43:43.000000000 +0300
@@ -29,8 +29,8 @@
PYTALLOC_UTIL_2.3.5 at PYTALLOC_UTIL_2.3.5 2.3.5
PYTALLOC_UTIL_2.4.0 at PYTALLOC_UTIL_2.4.0 2.4.0
PYTALLOC_UTIL_2.4.1 at PYTALLOC_UTIL_2.4.1 2.4.1
- PYTALLOC_UTIL_2.4.2 at PYTALLOC_UTIL_2.4.2 2.4.2
- PYTALLOC_UTIL_2.4.3 at PYTALLOC_UTIL_2.4.3 2.4.3
+ PYTALLOC_UTIL_2.4.2 at PYTALLOC_UTIL_2.4.2 2:2.4.2
+ PYTALLOC_UTIL_2.4.3 at PYTALLOC_UTIL_2.4.3 2:2.4.3
_pytalloc_check_type at PYTALLOC_UTIL_2.1.9 2.1.9
_pytalloc_get_mem_ctx at PYTALLOC_UTIL_2.1.6 2.1.6
_pytalloc_get_name at PYTALLOC_UTIL_2.3.0 2.3.0
diff -Nru samba-4.22.3+dfsg/debian/rules samba-4.22.3+dfsg/debian/rules
--- samba-4.22.3+dfsg/debian/rules 2025-07-09 17:08:04.000000000 +0300
+++ samba-4.22.3+dfsg/debian/rules 2025-07-15 21:00:21.000000000 +0300
@@ -370,8 +370,10 @@
{ \
suff=$$(${DEB_HOST_MULTIARCH}-python3-config --extension-suffix | tr _ -); \
SUFF=$$(echo "$${suff%.so}" | tr a-z- A-Z_); \
+ SYM="PYTALLOC_UTIL$${SUFF}_${talloc-upstream-version}"; \
+ deb_ver="${talloc-version}"; \
echo "libpytalloc-util$${suff}.2 #PACKAGE# #MINVER#"; \
- echo " PYTALLOC_UTIL$${SUFF}_${talloc-upstream-version}@PYTALLOC_UTIL$${SUFF}_${talloc-upstream-version} ${talloc-version}"; \
+ echo " $${SYM}@$${SYM} $${deb_ver%%[-+]*}"; \
cat debian/python3-talloc.symbols.in; \
} > debian/python3-talloc.symbols
diff -Nru samba-4.22.3+dfsg/debian/winbind.pam-config samba-4.22.3+dfsg/debian/winbind.pam-config
--- samba-4.22.3+dfsg/debian/winbind.pam-config 2025-06-26 09:39:04.000000000 +0300
+++ samba-4.22.3+dfsg/debian/winbind.pam-config 2025-07-13 12:43:43.000000000 +0300
@@ -6,9 +6,10 @@
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
Auth-Initial:
[success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login
-Account-Type: Primary
+Account-Type: Additional
Account:
- [success=end new_authtok_reqd=done default=ignore] pam_winbind.so
+ sufficient pam_localuser.so
+ [default=bad success=ok user_unknown=ignore] pam_winbind.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_winbind.so try_authtok try_first_pass
More information about the Pkg-samba-maint
mailing list