[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** No longer affects: eglibc (Ubuntu) ** No longer affects: libnss-ldap (Ubuntu) ** No longer affects: sudo (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Thanks Howard, I'll get this reviewed and tested this week. Adam -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
After reviewing this bug again I've outlined a possible course of action: a) Revert global_init patch in all supported distro's b) Lucid users continue to use the nscd workaround. c) Precise, Quantal, etc - rebuild gnutls without --with-libgcrypt in order to make use of nettle. Unfortunately, the version of gnutls in Lucid is older than the required gnutls version for nettle support. So I do not believe there will be much that we can do as far as a supportable option is concerned. I will need to speak with some other engineers about getting option c pushed through[1]. [1] http://pad.lv/926350 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Forcing use of nscd is a non-starter at many sites. Aside from cache staleness issues, and nscd's well known instability, there's also the issue that nscd doesn't intercept get*ent enumerations so things will still crash depending on which nsswitch functions an app calls. It would make sense to use nettle on the newer releases that support it, but keep the patch in place otherwise. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
This additional patch fixes the crash in bug#1013798. ** Attachment added: Addition to the patch in comment#73 https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/423252/+attachment/3328846/+files/dif.txt -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Oops. The attachment in comment#166 includes the patch in #73, it is not incremental. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
The patch applied to libgcrypt breaks other software: https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Thank you! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Any chance of it getting to lucid-updates anytime soon? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
This bug was fixed in the package libgcrypt11 - 1.4.4-5ubuntu2.1 --- libgcrypt11 (1.4.4-5ubuntu2.1) lucid-proposed; urgency=low * Do not call global_init when setting thread callbacks (LP: #423252) -- Adam Stokes adam.sto...@canonical.com Thu, 24 May 2012 16:31:52 -0400 ** Changed in: libgcrypt11 (Ubuntu Lucid) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Hey, raof, I have tested the lucid-proposed version and it works fine. sudo no longer segfaults. Thanks for the package! I am waiting for it to arrive at lucid-updates! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Tags added: verification-done-lucid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
This bug was fixed in the package libgcrypt11 - 1.5.0-3ubuntu0.1 --- libgcrypt11 (1.5.0-3ubuntu0.1) precise-proposed; urgency=low * Do not call global_init when setting thread callbacks (LP: #423252) -- Adam Stokes adam.sto...@canonical.com Wed, 16 May 2012 13:35:06 -0400 ** Changed in: libgcrypt11 (Ubuntu Precise) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Tags removed: verification-done-precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Hello Matt, or anyone else affected, Accepted libgcrypt11 into lucid-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: libgcrypt11 (Ubuntu Lucid) Status: In Progress = Fix Committed ** Tags removed: verification-done -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Branch linked: lp:ubuntu/lucid-proposed/libgcrypt11 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Lucid-proposed debiff ** Patch added: libgcrypt11_1.4.4-5ubuntu2.1.lucid.debdiff https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/423252/+attachment/3161716/+files/libgcrypt11_1.4.4-5ubuntu2.1.lucid.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Changed in: libgcrypt11 (Ubuntu Lucid) Status: Confirmed = Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
not committed until it's available in -proposed ** Changed in: libgcrypt11 (Ubuntu Lucid) Status: Fix Committed = In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Ubuntu 12.04 Precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Hello Martin, I was affected by the bug ann I confirm that using the latest packages from proposed solves the problem with my company's setup for LDAP. Thanks a lot. Regards. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Hi mcguire. Which release of Ubuntu do the updated packages solve the problem on for you? There are fixes available for natty, oneiric, and precise. Thanks! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Hello Matt, or anyone else affected, Accepted libgcrypt11 into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Branch linked: lp:ubuntu/precise-proposed/libgcrypt11 ** Branch linked: lp:ubuntu/oneiric-proposed/libgcrypt11 ** Branch linked: lp:ubuntu/natty-proposed/libgcrypt11 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Hello, Martin. Any chance of getting that for lucid? Thank you in advance! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Yes, it'll be SRUed for lucid too, I'm just waiting for Adam to finish preparing the debdiff and I'll review and upload it to lucid-proposed. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Patch added: Oneiric-proposed debdiff https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/423252/+attachment/3150693/+files/libgcrypt11_1.5.0-1ubuntu0.1.oneiric.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
natty-proposed debdiff ** Patch added: libgcrypt11_1.4.6-4ubuntu2.1.natty.debdiff https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/423252/+attachment/3150719/+files/libgcrypt11_1.4.6-4ubuntu2.1.natty.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Also affects: libgcrypt11 (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: sudo (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: libnss-ldap (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: eglibc (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: libgcrypt11 (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: sudo (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: libnss-ldap (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: eglibc (Ubuntu Oneiric) Importance: Undecided Status: New ** Changed in: libgcrypt11 (Ubuntu Maverick) Status: Confirmed = Won't Fix ** Also affects: libgcrypt11 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: sudo (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: libnss-ldap (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: eglibc (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: libgcrypt11 (Ubuntu Precise) Status: New = Fix Committed ** Changed in: libgcrypt11 (Ubuntu Oneiric) Status: New = Fix Committed ** Changed in: libgcrypt11 (Ubuntu Natty) Status: New = Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
This bug was fixed in the package libgcrypt11 - 1.5.0-3ubuntu1 --- libgcrypt11 (1.5.0-3ubuntu1) quantal; urgency=low * Do not call global_init when setting thread callbacks (LP: #423252) -- Adam Stokes adam.sto...@canonical.com Tue, 15 May 2012 13:56:17 -0400 ** Changed in: libgcrypt11 (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Branch linked: lp:ubuntu/libgcrypt11 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Precise debdiff for SRU ** Patch added: libgcrypt11_1.5.0-3ubuntu1.precise.debdiff https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/423252/+attachment/3149496/+files/libgcrypt11_1.5.0-3ubuntu1.precise.debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Uploaded your debdiff to precise-proposed with two small changes: - Targeted precise-proposed instead or precise - Changed version to -0ubuntu0.1 instead of -0ubuntu1 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Description changed: - On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' - field to anything with 'ldap' as the first item breaks the ability to - become root using 'su' and 'sudo' as anyone but root. + SRU Request: + + [Impact] + As heavily outlined in the amount of comments in this bug the impact is detrimental to both community and enterprise users alike. + + [Development Fix] + Howard Chu released a patch in #73 which was later confirmed in #106 #108 as a resolution. The patch has since then made its way into the latest development tree. + + [Stable Fix] + Patch from #73 can be applied cleanly to Lucid and new distributions. + + [Test Case] + On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root. Default nsswitch.conf: passwd: compat group: compat shadow: compat matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# Modified nsswitch.conf with 'ldap' before 'compat': passwd: ldap compat group: ldap compat shadow: ldap compat matt@box:~$ sudo uname -a sudo: setreuid(ROOT_UID, user_uid): Operation not permitted matt@box:~$ su - Password: setgid: Operation not permitted Modified nsswitch.conf with 'ldap' after 'compat': passwd: compat ldap group: compat ldap shadow: compat ldap matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases. + [Regression Potential] + This should be minimal as the code change only addresses the duplicating global_init during thread callbacks. + + Lucid Release Note: == NSS via LDAP+SSL breaks setuid applications like sudo == Upgrading systems configured to use ldap over ssl as the first service in the nss stack (in nsswitch.conf) leads to a broken nss resolution for setuid applications after the upgrade to Lucid (for example sudo would stop working). There isn't any simple workaround for now. One option is to switch to libnss-ldapd in place of libnss-ldap before the upgrade. Another one consists in using nscd before the upgrade. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Description changed: SRU Request: [Impact] As heavily outlined in the amount of comments in this bug the impact is detrimental to both community and enterprise users alike. [Development Fix] - Howard Chu released a patch in #73 which was later confirmed in #106 #108 as a resolution. The patch has since then made its way into the latest development tree. + Howard Chu released a patch in #73 which was later confirmed in #106 #108 as a resolution. [Stable Fix] Patch from #73 can be applied cleanly to Lucid and new distributions. [Test Case] On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root. Default nsswitch.conf: passwd: compat group: compat shadow: compat matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# Modified nsswitch.conf with 'ldap' before 'compat': passwd: ldap compat group: ldap compat shadow: ldap compat matt@box:~$ sudo uname -a sudo: setreuid(ROOT_UID, user_uid): Operation not permitted matt@box:~$ su - Password: setgid: Operation not permitted Modified nsswitch.conf with 'ldap' after 'compat': passwd: compat ldap group: compat ldap shadow: compat ldap matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases. [Regression Potential] This should be minimal as the code change only addresses the duplicating global_init during thread callbacks. - Lucid Release Note: == NSS via LDAP+SSL breaks setuid applications like sudo == Upgrading systems configured to use ldap over ssl as the first service in the nss stack (in nsswitch.conf) leads to a broken nss resolution for setuid applications after the upgrade to Lucid (for example sudo would stop working). There isn't any simple workaround for now. One option is to switch to libnss-ldapd in place of libnss-ldap before the upgrade. Another one consists in using nscd before the upgrade. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Branch linked: lp:~adam-stokes/ubuntu/quantal/libgcrypt11/libgcrypt- fix-423252 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
craig-white@139 Please file a bug against nslcd to track the problem with pam_authz_search. Also, in general, bug reports for any missing features are welcome. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
adejong@139 https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/992737 Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
This is busted in 12.04 and we cant use sudo with LDAP and SSL. Kind of a show stopper when it comes to enterprise deployments I -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I my recent experience, installing libnss-ldapd and libpam-ldapd (which in turn install nslcd and uninstall libnss-ldap and libpam-ldap) fixes the problem on 11.10 and 12.04. -sbi -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
See here's the deal... Yes, the problem seems to occur with starttls being enabled but given the choice... - libnss-ldap - libpam-ldap - nscd or - libnss-ldapd - libpam-ldapd - nslcd The first one fails if starttls is used to connect to the ldap server The second one fails to respect 'pam_check_host_attr yes' setting So I have problems no matter what I do. It's time for Ubuntu to clean this up as I was able to function w/ Lucid (libnss-ldap/libpam- ldap/nscd) but have only 2 lousy choices in Precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
You can replace pam_check_host_attr yes with pam_authz_search ((objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))) See the nslcd.conf manual page for more details (the 0.7 series doesn't have the fqdn value yet). Btw, you can use libpam-ldap fine together with libnss-ldapd if you prefer. Also note that nslcd is no replacement for nscd. nslcd doesn't do much caching and nscd (or unscd) can still be used to reduce the load on your LDAP server. The only real things that are missing in nss-pam-ldapd are nested groups and LDAP password policies. Patches are welcome ;) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
adejong@138 Put that entry into /etc/nslcd.conf as you suggested (and as the man page suggests) and removed my 'host' attribute which should prevent me from logging into my upgraded 12.04 system but it didn't. (NSCD NSLCD running, libnss-ldapd and libpam-ldapd installed configured) Obviously I can't expect the pam_check_host_attr in /etc/ldap.conf to work with this configuration but I did hope that the nslcd.conf would work and prevent me from being able to login - it didn't. This was after a reboot so I'm reasonably sure that nothing was cached in nslcd or nscd that would have impacted. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
A quick workaround that solved my problem with this: First install libnss-ldap Configure ldap stuff, test if you can login but can't use setuid apps. Then install nslcd and configure. After these steps my system is working, and allowing me to login with ldap account and use sudo. This bug is pretty serious, any enterprise who has more than one linux box, is using ldap to authenticate. And this is a show stopper.. This should be fixed ASAP. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I forgot to mention that I used 12.04 and 10.04 with the same results. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Changed in: gnutls26 (Debian) Status: Unknown = New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Sonic, did you do any special config? With nslcd we are running into the next problem: # /etc/init.d/nslcd start * Starting LDAP connection daemon nslcd nslcd: Warning: /lib/x86_64-linux-gnu/libnss_ldap.so.2: undefined symbol: _nss_ldap_enablelookups (probably older NSS module loaded) wich leeds us straight to https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/917208 and still not getting groups etc. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
If you are seeing something like: Warning: /lib/x86_64-linux-gnu/libnss_ldap.so.2: undefined symbol: _nss_ldap_enablelookups (probably older NSS module loaded) It means that you probably have libnss-ldap installed instead of libnss-ldapd (note the extra d). Using nslcd works best with libnss-ldapd and libpam-ldapd. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Let me point out my non-technical, management-like point of view to this: For my company it would have been a discussable way to put Ubuntu LTS with paid support to a row of our Desktops. But with this issue it is a complete nogo... Rating this as a high issue isn't going far enough, for enterprises this is a major blocker aka. showstopper. I would have thought that this would be the utmost interest for Canonical, 'cause supportcontracts is what their business is build upon. I'm not technically skilled to point to a solution for this and I respect the licensing problem and that nobody wants multiple sets of ldap client libraries. All I want to say is: There must be a solution to this kind of issues to get enterprises to buy support for Ubuntu. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I fully agree with kibe. While the whole licensing issues certainly lead to a big mess, but this bug is an even bigger issue in any enterprise / medium to large scale environment (at least those not using Kerberos). There has to be a some viable solution. How do other Linux distributions handle this? Do they all just ignore the licensing issues? In any case the solution is not to leave this bug open for over two years and ignore the numerous suggestions that have been made. Especially now that the nscd workaround is broken in 12.04 LTS. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Ah right, there would be the usecase of LDAP with SSL used by non-GPL-compatible programmes. So the proper fix is to have three sets of LDAP (client) libraries. The rest of the packages (server and utilities) can then be built against whatever of those the maintainers see best fit. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Also affects: openldap (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Debian Bug tracker #658739 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739 ** Also affects: gnutls26 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739 Importance: Unknown Status: Unknown ** Also affects: openldap (Debian) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
3 sets of LDAP client libraries? That sounds like a terrible solution. Fwiw, I wrote a version of OpenLDAP's TLS support that could use any/all of OpenSSL, GnuTLS, and MozillaNSS simultaneously, and never released it, because it seemed that would be too confusing if separate apps had different expectations of TLS config options. But it would certainly be possible to add libltdl support in, and make libldap dynamically load a single TLS implementation. I still don't see any technical merit in supporting anything besides OpenSSL. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** No longer affects: openldap (Ubuntu) ** No longer affects: openldap (Ubuntu Karmic) ** No longer affects: openldap (Ubuntu Lucid) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
On Wed, Apr 25, 2012 at 09:14:58AM -, Howard Chu wrote: I still don't see any technical merit in supporting anything besides OpenSSL. As soon as someone provides an OpenSSL that it's legal for us to link to in a Linux OS product, instead of with a wink and a nod to the GPL, we'd be elated to discuss the technical merits of the SSL implementations. In the meantime, I agree that we don't want to try to address this with multiple LDAP client libraries. Unmarking openldap as affected. ** No longer affects: openldap (Ubuntu Maverick) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
My point being, if you want to accommodate multiple TLS libraries simultaneously with only a single libldap, that code is still available in the OpenLDAP git repo. The relevant changes are between a225b02f17fe79f6680d5d31db37320981e24774..4dff3e6807fb3451405373c2b85e02ccf27b882f -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Re #120 (adam-stokes) The best workable solution for me would be working official packages for Lucid and Pangolin. Working LDAP authn/z over TLS is baseline functionality for us (servers and academic computer labs). I've had no problems with the patch from #73 thus far on our Lucid servers. Most traffic is Apache php/suexec. Day to day use is sudo/su for sysadmins. Have not noticed any side effects. We've been running this way since 2011-04-11. Currently planning to test nutznbotz #113 gnutls using nettle and adejong #119 nss-pam-ldapd, but not until summer when we test Pangolin for production. Thanks canonical folks and patch contributors for all the great work on this. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Just to add something that has nothing to do directly with this bug, but is related: we have been using SSSD for quite a while now, using Timo Aaltonen's PPA https://launchpad.net/~sssd/+archive/updates and could not be happier. In my opinion SSSD is the superior solution for all things authn/authz, tying together LDAP, Kerberos and PAM. There are still some minor Ubuntu-related issues with the ordering of the involved PAM modules but everything works very well, apart from that. I think Ubuntu would do well to properly integrate and incorporate SSSD, especially in the Server edition. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
re #108 (cdmiller) Is this fix still a workable solution for you and have you run into any issues not yet experienced on this bug? Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Confirmed for Precise beta. Please, for the sake of corporate and government customers (where LDAP and/or Kerberos is very likely to be deployed), elevate the priority of this bug. I gather that this is of not much interest for the majority of private desktop users, but in more professional environments, this is a showstopper, meaning that such distribution simply cannot be deployed in our corporate networks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
It is probably best to migrate to either nss-pam-ldapd, sssd or nss-pam- ldapd in combination with the nssov slapd overlay. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I can confirm that the use nscd workaround no longer works in the current Precise beta. This will cause anyone updating from the current LTS to the forthcoming LTS to be unable to run su, sudo, apache2 suexec, and atd from LDAP accounts. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
This will never be fixed in Lucid and Lucid has the use nscd work- around. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
*** This bug is a duplicate of bug 926350 *** https://bugs.launchpad.net/bugs/926350 ** This bug has been marked a duplicate of bug 926350 LDAP account via SSL cannot use setuid binaries until gnutls26 is rebuilt with nettle not libgcrypt11 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** This bug is no longer a duplicate of bug 926350 LDAP account via SSL cannot use setuid binaries until gnutls26 is rebuilt with nettle not libgcrypt11 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Rebuilding against nettle is no solution for lucid. This bug is not a duplicate. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
PPA for the patch suggested by Howard Chu's in comment #73 https://launchpad.net/~nutznboltz/+archive/howard-chu-libgcrypt11-patch- for-ldap-clients -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
According to Andreas Metzler http://lists.debian.org/debian-legal/2011/02/msg6.html {{ GnuTLS upstream has added support for different crypto backends in 2.11.x and has chosen nettle as prefered backend (2.10.x is using libgcrypt). }} I have started to experiment with using a gnutls26 package with nettle instead of libgcrypt11 on Ubuntu 12.04. I have yet to adjust the gnutls26 package dependencies, at this point I just cheat and install nettle-dev manually: sudo apt-get install nettle-dev Then I apt-get source gnutls26 to fetch the source for gnutls26-2.12.14 chop out --with-libgcrypt from debian/rules bump the package version in debian/changelog to 2.12.14-5ubuntu2.1 and rebuild with debuild -i -uc -us -b then I put a checkpoint on the VM and install the package: dpkg -i libgnutls26_2.12.14-5ubuntu2.1_amd64.deb but then sudo works on my LDAP+SSL client. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
This bug no longer pertains to be as it is opened against libgcrypt11 now and to me this is now a GnuTLS backend selection bug. I put the patched gnutls into this PPA as my preferred solution. https://launchpad.net/~nutznboltz/+archive/gnutls26-with-nettle -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I meant to type no longer pertains to me not to be. I am unsubscribing from this bug report. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I tested with Ubuntu 12.04 today and the nscd work-around no longer works. The failure occurs with or without running nscd on Ubuntu 12.04. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Branch linked: lp:~nutznboltz/ubuntu/precise/libgcrypt11/fix-lp423252 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Tags added: precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Just a follow up to #106. We have been running with the libgcrypt11 patch from #73 with a couple thousand openldap and AD users using Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no troubles. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Thanks a lot, works like a charm. I wish i could be of any help to you, saved me a lot of time. 2011/10/4 cdmiller cdmil...@adams.edu: Just a follow up to #106. We have been running with the libgcrypt11 patch from #73 with a couple thousand openldap and AD users using Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no troubles. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd Status in Release Notes for Ubuntu: Fix Released Status in “eglibc” package in Ubuntu: Invalid Status in “libgcrypt11” package in Ubuntu: Confirmed Status in “libnss-ldap” package in Ubuntu: Invalid Status in “sudo” package in Ubuntu: Invalid Status in “eglibc” source package in Lucid: Invalid Status in “libgcrypt11” source package in Lucid: Confirmed Status in “libnss-ldap” source package in Lucid: Invalid Status in “sudo” source package in Lucid: Invalid Status in “eglibc” source package in Maverick: Invalid Status in “libgcrypt11” source package in Maverick: Confirmed Status in “libnss-ldap” source package in Maverick: Confirmed Status in “sudo” source package in Maverick: Invalid Status in “eglibc” source package in Karmic: Invalid Status in “libgcrypt11” source package in Karmic: Won't Fix Status in “libnss-ldap” source package in Karmic: Invalid Status in “sudo” source package in Karmic: Invalid Status in “libgcrypt11” package in Debian: Confirmed Status in “sudo” package in Debian: Confirmed Status in “sudo” package in Kairos Linux: Confirmed Bug description: On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root. Default nsswitch.conf: passwd: compat group: compat shadow: compat matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# Modified nsswitch.conf with 'ldap' before 'compat': passwd: ldap compat group: ldap compat shadow: ldap compat matt@box:~$ sudo uname -a sudo: setreuid(ROOT_UID, user_uid): Operation not permitted matt@box:~$ su - Password: setgid: Operation not permitted Modified nsswitch.conf with 'ldap' after 'compat': passwd: compat ldap group: compat ldap shadow: compat ldap matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases. Lucid Release Note: == NSS via LDAP+SSL breaks setuid applications like sudo == Upgrading systems configured to use ldap over ssl as the first service in the nss stack (in nsswitch.conf) leads to a broken nss resolution for setuid applications after the upgrade to Lucid (for example sudo would stop working). There isn't any simple workaround for now. One option is to switch to libnss-ldapd in place of libnss-ldap before the upgrade. Another one consists in using nscd before the upgrade. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Changed in: libnss-ldap (Ubuntu Maverick) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Also affects: eglibc (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: libgcrypt11 (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: libnss-ldap (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: sudo (Ubuntu Maverick) Importance: Undecided Status: New ** Changed in: eglibc (Ubuntu Maverick) Status: New = Invalid ** Changed in: libgcrypt11 (Ubuntu Maverick) Importance: Undecided = Medium ** Changed in: libgcrypt11 (Ubuntu Maverick) Status: New = Triaged ** Changed in: libgcrypt11 (Ubuntu Maverick) Milestone: None = maverick-updates ** Changed in: sudo (Ubuntu Maverick) Status: New = Invalid ** Changed in: libgcrypt11 (Ubuntu) Status: Triaged = Confirmed ** Changed in: libgcrypt11 (Ubuntu Karmic) Status: Triaged = Won't Fix ** Changed in: libgcrypt11 (Ubuntu Lucid) Status: Triaged = Confirmed ** Changed in: libgcrypt11 (Ubuntu Maverick) Status: Triaged = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Changed in: libgcrypt11 (Ubuntu Maverick) Assignee: (unassigned) = Canonical Foundations Team (canonical-foundations) ** Changed in: libgcrypt11 (Ubuntu Lucid) Assignee: (unassigned) = Canonical Foundations Team (canonical-foundations) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I also tested a patched libgcrypt11 package according to comment #73. I can now su from a local user to a non-local user and have a non-local user use sudo (sudo-ldap). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I just tried Howard's patch from #73 this morning, using the libgcrypt11_1.4.4-5ubuntu2_amd64.deb source files to roll a new libgcrypt11 package. I can now su to root from accounts not in the local password file database, before I could not. That was on a Lucid 10.04.2 LTS vm. Next week sometime we might be able to test Apache2/phpsuexec for a larger base of user accounts. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Building the openldap source with openssl instead of gnutls libraries and installing the resulting libldap package works here. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
On Wed, Mar 23, 2011 at 08:35:56PM -, Peter Matulis wrote: Building the openldap source with openssl instead of gnutls libraries and installing the resulting libldap package works here. Yes, but that results in combinations of software that are not redistributable in the archive because there's GPL software that uses libldap. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Yeah it was more as confirmation. I'm going to test a patched libgcrypt (comment #73) next. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
bug still present in Maverick 10.10 this is the output with debug option enabled: $ sudo -u news /usr/sbin/fetchnews LDAP Config Summary === uri ldap://127.0.0.1/ ldap_version 3 sudoers_base ou=sudoers,dc=homelinux,dc=doma binddn (anonymous) bindpw (anonymous) timelimit30 ssl (no) === sudo: ldap_initialize(ld, ldap://127.0.0.1/) sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: timelimit - 30 sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=sudoers,dc=homelinux,dc=doma sudo: ldap sudoOption: 'timestamp_timeout=30' sudo: ldap sudoOption: 'env_reset' sudo: setuid(): Operation not permitted -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
For completeness' sake, another bug tracker with the same issue https://bugs.g10code.com/gnupg/issue1181 ** Bug watch added: GnuPG Bugs #1181 https://bugs.g10code.com/gnupg/issue1181 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
** Summary changed: - NSS using LDAP+SSL breaks setuid applications like su and sudo + NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs