Bug#1130068: marked as done (should not recommend libnss-winbind/libpam-winbind)

Sun, 08 Mar 2026 04:59:15 -0700 

Your message dated Sun, 08 Mar 2026 11:56:30 +0000
with message-id <[email protected]>
and subject line Bug#1130068: fixed in samba 2:4.23.6+dfsg-2
has caused the Debian Bug report #1130068,
regarding should not recommend libnss-winbind/libpam-winbind
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1130068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130068
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: samba-ad-dc
Version: 2:4.22.6+dfsg-0+deb13u1
Severity: normal

Hi,

If you do as the trixie release notes say, and “apt install samba-ad-dc”
on your DC upgrade, you will (more or less silently) get libnss-winbind
and libpam-winbind on your DC. This means that by default (i.e., unless
you add some extra restrictions somewhere), every user on your domain
can log into your DC. 

This is an unusual configuration; pretty much every DC I've seen is
set up separated from normal users for security reasons. And given that
the main samba package does _not_ have such a Recommends (winbind itself
has a Suggests, which sounds like the right thing to me), I'm not sure
why samba-ad-dc specifically would have it? It doesn't seem to fit with
what Recommends generally means in Policy (“The Recommends field should
list packages that would be found together with this one in all but unusual
installations”; I would assume _installing_ them is the unusual setup).
Of course you can install them and then set up e.g. group ACLs in
sshd_config, but it's not obvious to me why this should be the default
setup.

I must admit I don't even understand why winbind is needed to run a DC,
but I'm sure there is some internal Samba reason, given that it is a
Depends. :-)

-- System Information:
Debian Release: 13.3
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 
'proposed-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.18.2 (SMP w/56 CPU threads; PREEMPT)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_NO:en_US:en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba-ad-dc depends on:
ii  init-system-helpers  1.69~deb13u1
ii  libbsd0              0.12.2-2
ii  libc6                2.41-12+deb13u2
pn  libldb2              <none>
ii  libpopt0             1.19+dfsg-2
ii  libtalloc2           2:2.4.3+samba4.22.8+dfsg-0+deb13u1
pn  libtevent0t64        <none>
ii  python3              3.13.5-1
pn  python3-dnspython    <none>
pn  python3-samba        <none>
pn  samba                <none>
pn  samba-dsdb-modules   <none>
pn  samba-libs           <none>
pn  winbind              <none>

Versions of packages samba-ad-dc recommends:
pn  libnss-winbind      <none>
pn  libpam-winbind      <none>
ii  python3-gpg         1.24.2-3
pn  samba-ad-provision  <none>

Versions of packages samba-ad-dc suggests:
pn  bind9                 <none>
pn  bind9utils            <none>
pn  ldb-tools             <none>
ii  ntpsec [time-daemon]  1.2.3+dfsg1-8

--- End Message ---
--- Begin Message --- 
Source: samba
Source-Version: 2:4.23.6+dfsg-2
Done: Michael Tokarev <[email protected]>

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 08 Mar 2026 14:27:42 +0300
Source: samba
Architecture: source
Version: 2:4.23.6+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Samba Maintainers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1130068
Changes:
 samba (2:4.23.6+dfsg-2) unstable; urgency=medium
 .
   * samba-bgqd.service: ship a unit file, but not auto-enable it
   * d/rules: do not enable nmbd by default
   * d/control: drop libnss-winbind & libpam-winbind from
     samba-ad-dc:Recommends (Closes: #1130068)
Checksums-Sha1:
 9fa9dce054cf1b8b0ad6f28555946e271ce39558 6088 samba_4.23.6+dfsg-2.dsc
 6046d66181de0ddf9968dc21112deaacfe5e13f9 190280 
samba_4.23.6+dfsg-2.debian.tar.xz
 aab846a92ac98c54881bf2a9b15e88771858f3f9 6072 
samba_4.23.6+dfsg-2_source.buildinfo
Checksums-Sha256:
 c6a7f45ff35ed42731606f0a4186987ca3771f19b72b54459c818c5533f4a2d4 6088 
samba_4.23.6+dfsg-2.dsc
 77baceeeb85da70ed3cdab08d268b195ee04927579bb328d49c5dc0b482b7dcc 190280 
samba_4.23.6+dfsg-2.debian.tar.xz
 57bcacfab6e1c97e5579bd6c0c9e789988a0b99cae6ea0a12f9070b491b31706 6072 
samba_4.23.6+dfsg-2_source.buildinfo
Files:
 924182ff1dfb6ada0f2a5f348ad26951 6088 net optional samba_4.23.6+dfsg-2.dsc
 909eb61dddf2c910ffe3dcba5365dd53 190280 net optional 
samba_4.23.6+dfsg-2.debian.tar.xz
 cba956fb1d1954178b43ff87d2e0f028 6072 net optional 
samba_4.23.6+dfsg-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJprV6XCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcPEUKKLqfyllu5QAegYcHcMp/ruXTp3f9DeYOb26ad
HxYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AACEUhAApH/hAjTIUI9BsCW3Bmy4WoKv
LED73mvkSrr2ApnM1AdLLGGq5ze+Rc15/k/7YEV0CtNVxjSJ0D7ZhjSz5gXWUXwV
u2Ffm/VciM1L9IVntrJRk5dqFa6FLQOhROmDK52ulUI0agfqJoPhHi2G6Zd6ZAoA
y4W8jU2yNvlDut1ompSzP+i0tDcE7s3w5IMUnMIm3CdVKRCtR+KkGProTjPyDzXO
LltxGtzkEgOdshgG5ty1afqQZWjwoXOeX30PLItBdDD6c9PYYHh84MvOzyuDPsI8
qsjiRBpdtOitc/+DKKUyrghJPG2OcGGIPOA6LchsuzjcpyGrRtudBKqhZLpfp8OH
N+MPYUECMvUalPwibK15qMeGJlzZfG7QD9JxAvK4w6e0pXNH8ZM0xgZbMA1xsG03
IeyfWFAk8XbcKbealpmDAjthchvQFfVBIpBZjjYxTfKj6V5CDQV2232G2XocWSgC
5n9hCXm/rNNhHlO16QHijBnciXigIMBilc2d+MDaBl9/a50zRX9QBvxi317Nm/Gt
2Y4GL3uhT/OWQOUxJWOB9ddICmieRnWuwc+GuZDqEa0KJT1dRemT20nksb8yWDq6
+d8orMTg+BYQ8BTyZP8+VzGKQ9mvunsbCzedz4VbpqQ0Fuj9aH2KaUetIgQX1Cyk
nCi5IldUyUD+PggtCX4=
=YtIb
-----END PGP SIGNATURE-----

Attachment: pgpIW543DiuBw.pgp
Description: PGP signature


--- End Message ---

Reply via email to