Package: samba-ad-dc Version: 2:4.22.6+dfsg-0+deb13u1 Severity: normal Hi,
If you do as the trixie release notes say, and “apt install samba-ad-dc” on your DC upgrade, you will (more or less silently) get libnss-winbind and libpam-winbind on your DC. This means that by default (i.e., unless you add some extra restrictions somewhere), every user on your domain can log into your DC. This is an unusual configuration; pretty much every DC I've seen is set up separated from normal users for security reasons. And given that the main samba package does _not_ have such a Recommends (winbind itself has a Suggests, which sounds like the right thing to me), I'm not sure why samba-ad-dc specifically would have it? It doesn't seem to fit with what Recommends generally means in Policy (“The Recommends field should list packages that would be found together with this one in all but unusual installations”; I would assume _installing_ them is the unusual setup). Of course you can install them and then set up e.g. group ACLs in sshd_config, but it's not obvious to me why this should be the default setup. I must admit I don't even understand why winbind is needed to run a DC, but I'm sure there is some internal Samba reason, given that it is a Depends. :-) -- System Information: Debian Release: 13.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.18.2 (SMP w/56 CPU threads; PREEMPT) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages samba-ad-dc depends on: ii init-system-helpers 1.69~deb13u1 ii libbsd0 0.12.2-2 ii libc6 2.41-12+deb13u2 pn libldb2 <none> ii libpopt0 1.19+dfsg-2 ii libtalloc2 2:2.4.3+samba4.22.8+dfsg-0+deb13u1 pn libtevent0t64 <none> ii python3 3.13.5-1 pn python3-dnspython <none> pn python3-samba <none> pn samba <none> pn samba-dsdb-modules <none> pn samba-libs <none> pn winbind <none> Versions of packages samba-ad-dc recommends: pn libnss-winbind <none> pn libpam-winbind <none> ii python3-gpg 1.24.2-3 pn samba-ad-provision <none> Versions of packages samba-ad-dc suggests: pn bind9 <none> pn bind9utils <none> pn ldb-tools <none> ii ntpsec [time-daemon] 1.2.3+dfsg1-8
