Bug#649265: [Pkg-samba-maint] Bug#649265: winbind: add wins to nsswitch.conf
Quoting Osamu Aoki (os...@debian.org): The current mechanism used by libnss-mdns for updating /etc/nsswitch.conf is not policy-compliant. Is it? Actually, I initially thought it was not policy-compliant without looking into facts. But /etc/nsswitch.conf does not look like conffile. It is a generated file by base-files.postinst. So, as long as base-files and libnss-mdns maintainers cordinate each other, I see no problem in terms of policy. Oh, doh. Shouldn't it be a conffile anyway? As a local admin, I would hate seeing my carefully crafted nsswitch.conf file broken by packages' updates just because it is policy-compliant as this is not a conffile. And I certainly know about Debian-haters who would happily use this as an argument to bash us for doing that (forgetting that most other distros happily break such files during upgrades...) So, well, sounds like a goodpolicy-compliant method to update nsswitch.conf would indeed be a great enhancemeent to bring. Thinking out loud, it could be something like /etc/nsswitch.conf.d/ but I'm not sure that's easy to do without hacking many things. signature.asc Description: Digital signature
Bug#649265: winbind: add wins to nsswitch.conf
On Sun, Nov 20, 2011 at 06:09:22PM +0900, Osamu Aoki wrote: On Sat, Nov 19, 2011 at 11:36:52AM -0800, Steve Langasek wrote: The current mechanism used by libnss-mdns for updating /etc/nsswitch.conf is not policy-compliant. Is it? Actually, I initially thought it was not policy-compliant without looking into facts. But /etc/nsswitch.conf does not look like conffile. It is a generated file by base-files.postinst. So, as long as base-files and libnss-mdns maintainers cordinate each other, I see no problem in terms of policy. a) they don't coordinate b) this config file is initially populated by base-files, but it's configuration for libc, not for base-files, and there's no coordination being done with glibc c) the policy requirement is not just that they coordinate, but that they use a *standard programmatic interface* for updating the config file: If it is desirable for two or more related packages to share a configuration file _and_ for all of the related packages to be able to modify that configuration file, then the following should be done: 1. One of the related packages (the owning package) will manage the configuration file with maintainer scripts as described in the previous section. 2. The owning package should also provide a program that the other packages may use to modify the configuration file. 3. The related packages must use the provided program to make any desired modifications to the configuration file. They should either depend on the core package to guarantee that the configuration modifier program is available or accept gracefully that they cannot modify the configuration file if it is not. (This is in addition to the fact that the configuration file may not even be present in the latter scenario.) d) the current semantics of libnss-mdns are not at all scalable and need some serious reworking before they could be made a standard process. but I won't perpetuate the policy-violating modification of another package's config file. user and group management via libpam-winbind package on windows dominated world still seems good idea. Yes, and we already integrate with PAM and would gladly integrate with nsswitch - but more infrastructure is needed first. On Mon, Nov 21, 2011 at 07:06:08AM +0100, Christian PERRIER wrote: Oh, doh. Shouldn't it be a conffile anyway? Absolutely not! As a local admin, I would hate seeing my carefully crafted nsswitch.conf file broken by packages' updates just because it is policy-compliant as this is not a conffile. The fact that you intend to carefully craft it is proof that it should not be a conffile. Files should only be marked conffiles if in the vast majority of cases the file will not need to be changed (by either the package maintainer or the admin). -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#649265: winbind: add wins to nsswitch.conf
Hi, Thanks for clarification. On Sat, Nov 19, 2011 at 11:36:52AM -0800, Steve Langasek wrote: On Sat, Nov 19, 2011 at 10:26:02PM +0900, Osamu Aoki wrote: Package: winbind Version: 2:3.5.11~dfsg-4 Severity: wishlist As I understand, winbind is a package to help integrate a machine into a Windows network. Documentation in Integrating MS Windows Networks with Samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/integrate-ms-networks.html is a good resource for novice like me. It seems we need to add wins to nsswitch.conf. Then I realize, libnss-mdns does put its entries into nsswitch.conf via package script. I thought it may be nice for winbind to do the similar. The current mechanism used by libnss-mdns for updating /etc/nsswitch.conf is not policy-compliant. Is it? Actually, I initially thought it was not policy-compliant without looking into facts. But /etc/nsswitch.conf does not look like conffile. It is a generated file by base-files.postinst. So, as long as base-files and libnss-mdns maintainers cordinate each other, I see no problem in terms of policy. I would be happy to have the winbind package (actually the libpam-winbind package, in unstable) integrate with an appropriate nsswitch updating mechanism, Yes, *appropriate nsswitch updating mechanism* is what is needed. I am happy to know Windows system uses the sane host name resolution via DNS these days. I will continue discuss this topic with the original bug reporter who insisted to use NETBIOS for hostname resolution at http://bugs.debian.org/626736 . It seems even MS has howto for integrating their DHCP server with their DNS server. http://technet.microsoft.com/en-us/library/cc787034(v=WS.10).aspx (Certainly, we can do the equivalent on Debian) but I won't perpetuate the policy-violating modification of another package's config file. user and group management via libpam-winbind package on windows dominated world still seems good idea. Osamu -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#649265: winbind: add wins to nsswitch.conf
Package: winbind Version: 2:3.5.11~dfsg-4 Severity: wishlist As I understand, winbind is a package to help integrate a machine into a Windows network. Documentation in Integrating MS Windows Networks with Samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/integrate-ms-networks.html is a good resource for novice like me. It seems we need to add wins to nsswitch.conf. Then I realize, libnss-mdns does put its entries into nsswitch.conf via package script. I thought it may be nice for winbind to do the similar. $ grep nsswitch.conf * ... libnss-mdns.postinst:# try to insert mdns entries to the hosts line in /etc/nsswitch.conf to libnss-mdns.postinst:# abort if /etc/nsswitch.conf does not exist libnss-mdns.postinst:if ! [ -e /etc/nsswitch.conf ]; then libnss-mdns.postinst:log Could not find /etc/nsswitch.conf. libnss-mdns.postinst:' /etc/nsswitch.conf libnss-mdns.postinst:# nsswitch.conf already contains mdns entries) libnss-mdns.postinst:if [ -e /etc/nsswitch.conf ]; then libnss-mdns.postinst:/etc/nsswitch.conf libnss-mdns.postinst:/etc/nsswitch.conf libnss-mdns.postrm:# abort if /etc/nsswitch.conf does not exist libnss-mdns.postrm:if ! [ -e /etc/nsswitch.conf ]; then libnss-mdns.postrm:log Could not find /etc/nsswitch.conf. libnss-mdns.postrm:' /etc/nsswitch.conf Regards, Osamu -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages winbind depends on: ii adduser 3.113 ii libc6 2.13-21 ii libcap2 1:2.22-1 ii libcomerr21.42~WIP-2011-10-16-1 ii libgssapi-krb5-2 1.9.1+dfsg-3 ii libk5crypto3 1.9.1+dfsg-3 ii libkrb5-3 1.9.1+dfsg-3 ii libldap-2.4-2 2.4.25-4+b1 ii libpopt0 1.16-1 ii libtalloc22.0.7-3 ii libtdb1 1.2.9-4+b1 ii libwbclient0 2:3.5.11~dfsg-4 ii lsb-base 3.2-28 ii samba-common 2:3.5.11~dfsg-4 ii zlib1g1:1.2.3.4.dfsg-3 Versions of packages winbind recommends: ii libpam-winbind 2:3.5.11~dfsg-4 winbind suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#649265: [Pkg-samba-maint] Bug#649265: winbind: add wins to nsswitch.conf
On 11/19/2011 02:26 PM, Osamu Aoki wrote: As I understand, winbind is a package to help integrate a machine into a Windows network. Documentation in Integrating MS Windows Networks with Samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/integrate-ms-networks.html is a good resource for novice like me. It seems we need to add wins to nsswitch.conf. Then I realize, libnss-mdns does put its entries into nsswitch.conf via package script. I thought it may be nice for winbind to do the similar. Are you actually having difficulties? WINS is not used by recent Windows anymore and could better be avoided if possible. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#649265: [Pkg-samba-maint] Bug#649265: winbind: add wins to nsswitch.conf
Hi, On Sat, Nov 19, 2011 at 02:40:56PM +0100, Luk Claes wrote: On 11/19/2011 02:26 PM, Osamu Aoki wrote: As I understand, winbind is a package to help integrate a machine into a Windows network. Documentation in Integrating MS Windows Networks with Samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/integrate-ms-networks.html is a good resource for novice like me. It seems we need to add wins to nsswitch.conf. Then I realize, libnss-mdns does put its entries into nsswitch.conf via package script. I thought it may be nice for winbind to do the similar. Are you actually having difficulties? WINS is not used by recent Windows anymore and could better be avoided if possible. I see. I have no problem since I do not do this wins thing here. One of a bug reported pushed wins to be documented in Debian Reference. I have no idea what to tell him. What is used by recent Windows and what is a good pointer for documentation of such mixed system integration? Osamu -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#649265: [Pkg-samba-maint] Bug#649265: winbind: add wins to nsswitch.conf
Quoting Osamu Aoki (os...@debian.org): Package: winbind Version: 2:3.5.11~dfsg-4 Severity: wishlist As I understand, winbind is a package to help integrate a machine into a Windows network. Documentation in Integrating MS Windows Networks with Samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/integrate-ms-networks.html is a good resource for novice like me. It seems we need to add wins to nsswitch.conf. Thanks for you suggestion and bug report, Aoki-san. However, I think it really should be up to the local admin to decide what to do, here. I never added wins to nsswitch.conf on any of my samba servers and they're still working fairly well. At the very minimum, this should be done through a (low priority) debconf question (defaulting to not do anything). Given that, I'm far from being convinced of this being really useful, I will eventually consider this.if we get a working patch implementing this, including debconf question..:) signature.asc Description: Digital signature
Bug#649265: winbind: add wins to nsswitch.conf
On Sat, Nov 19, 2011 at 10:26:02PM +0900, Osamu Aoki wrote: Package: winbind Version: 2:3.5.11~dfsg-4 Severity: wishlist As I understand, winbind is a package to help integrate a machine into a Windows network. Documentation in Integrating MS Windows Networks with Samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/integrate-ms-networks.html is a good resource for novice like me. It seems we need to add wins to nsswitch.conf. Then I realize, libnss-mdns does put its entries into nsswitch.conf via package script. I thought it may be nice for winbind to do the similar. The current mechanism used by libnss-mdns for updating /etc/nsswitch.conf is not policy-compliant. I would be happy to have the winbind package (actually the libpam-winbind package, in unstable) integrate with an appropriate nsswitch updating mechanism, but I won't perpetuate the policy-violating modification of another package's config file. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#649265: [Pkg-samba-maint] Bug#649265: Bug#649265: winbind: add wins to nsswitch.conf
On Sat, Nov 19, 2011 at 02:40:56PM +0100, Luk Claes wrote: On 11/19/2011 02:26 PM, Osamu Aoki wrote: As I understand, winbind is a package to help integrate a machine into a Windows network. Documentation in Integrating MS Windows Networks with Samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/integrate-ms-networks.html is a good resource for novice like me. It seems we need to add wins to nsswitch.conf. Then I realize, libnss-mdns does put its entries into nsswitch.conf via package script. I thought it may be nice for winbind to do the similar. Are you actually having difficulties? WINS is not used by recent Windows anymore and could better be avoided if possible. The nss_wins module handles all NetBIOS name resolution, including broadcast resolution. So while no one with a recent version of Windows is likely to be setting up WINS, it's still the only way to resolve (at the Unix level) Windows hostnames that aren't in DNS. So it's still relevant, although I certainly wouldn't have the package enabling this by default. (In my first reply, I mistakenly thought this bug report was about nss_winbind, which probably *should* be enabled by default, if an appropriate updating mechanism were made available.) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#649265: [Pkg-samba-maint] Bug#649265: Bug#649265: winbind: add wins to nsswitch.conf
On Sun, Nov 20, 2011 at 12:41:41AM +0900, Osamu Aoki wrote: I have no problem since I do not do this wins thing here. One of a bug reported pushed wins to be documented in Debian Reference. I have no idea what to tell him. What is used by recent Windows and what is a good pointer for documentation of such mixed system integration? Recent Windows systems use DNS instead. Where is the bug report asking for wins to be documented? We can probably give a better answer seeing the user's exact use case. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
