Bug#992888: libpam0g: postinst fails on non-systemd services
This might be a misunderstanding. The problem happens during install of the package. If d-i refers to the initial installer then no it isn't a d-i bug On Tue, 24 Aug 2021 12:31:06 -0600 Sam Hartman wrote: > >>>>> "Ray" == Ray Klassen writes: > > Ray> Package: libpam0g Version: 1.4.0-9 Severity: important Tags: > Ray> d-i X-Debbugs-Cc: rklas...@communitascare.com > > Ray> Dear Maintainer, > > How is this a d-i bug? > >
Bug#992888: libpam0g: postinst fails on non-systemd services
Package: libpam0g Version: 1.4.0-9 Severity: important Tags: d-i X-Debbugs-Cc: rklas...@communitascare.com Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/32 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam0g depends on: ii debconf [debconf-2.0] 1.5.77 ii libaudit1 1:3.0-2 ii libc6 2.31-13 libpam0g recommends no packages. Versions of packages libpam0g suggests: pn libpam-doc -- debconf information: libpam0g/xdm-needs-restart: libpam0g/restart-failed: * libraries/restart-without-asking: true libpam0g/restart-services: On upgrading from buster to bullseye, libpam09 postinst script insisted on restarting a number of services, but failed on the two services (hylafax and exim) that had no systemd units but were rather started and stopped via systemd's sysv compatibility function. This halted the upgrade and left the server in a semi-crippled state. I was only able to continue the upgrade by extracting the deb and removing references to hylafax and exim from the postinst script.
Bug#934327: libreswan: addconn crash on ipsec.conf
On 2019-08-10 6:34 a.m., Bernhard Übelacker wrote: Hello Ray Klassen, without deeper knowledge of libreswan I tried to reproduce this issue, but it did not show up for me. It might be possible to install the package systemd-coredump. Then in the journal should a backtrace be printed when you repeat the checkconfig, which you could forward to this bug. Additionally the backtrace would contain more function names when the matching debug symbols are installed like described in [1]. This page might give some more pointer how to retrieve more information form that issue. Kind regards, Bernhard [1] https://wiki.debian.org/HowToGetABacktrace#Installing_the_debugging_symbols Further on this. It seems to relate to having esp= in the default 'conn' and overriding it with phase2alg= in a specific 'conn.' I had that crash again on another router and after using phase2alg in both stanzas the problem went away. -- Ray Klassen IT Manager Communitas Supportive Care Society Office 604 850 6608 x331 Mobile 604 308 6215
Bug#934327: libreswan: addconn crash on ipsec.conf
Package: libreswan Version: 3.27-6 Severity: important Dear Maintainer, upgraded to buster from jessie systemctl start ipsec reported a failure narrowed the cause down to addconn crashing as invoked by ipsec.service ran: /usr/lib/ipsec/addconn --config ./ipsec.conf.nioffice --checkconfig result: free(): double free detected in tcache 2 Aborted downloaded the libreswan-3.29 tarball from libreswan wiki and created debian package using make deb. installed 3.29 version deb and problem went away. copied up problem ipsec.conf to router running the stock buster 3.27 and ran addconn --checkconfig against it with the same result. narrowed it down to two lines in the last 'conn' as below with all irrelevant info omitted. conn %default ike=aes256-sha2_512;modp1024 phase2alg=aes256-sha2_512;modp1024 conn site1 ike=aes256-sha2_512;modp1024 phase2alg=aes256-sha2_512;modp1024 conn site2 ike=aes256-sha2_512;modp1024 phase2alg=aes256-sha2_512;modp1024 as the default wasn't really the default anymore, I moved the identical site1 and site2 lines into %default and removed them from the 'site' conns and addconn --checkconfig worked fine. But it really should have been able to parse the original ipsec.conf. -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.19.0-5-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libreswan depends on: ii bind9-host [host]1:9.11.5.P4+dfsg-5.1 ii bsdmainutils 11.1.2+b1 ii debconf [debconf-2.0]1.5.71 ii dns-root-data2019031302 ii host 1:9.10.3.dfsg.P4-12.3+deb9u5 ii iproute2 4.20.0-2 ii iptables 1.8.2-4 ii libaudit11:2.8.4-3 ii libc62.28-10 ii libcap-ng0 0.7.9-2 ii libcurl3-nss 7.64.0-4 ii libevent-2.1-6 2.1.8-stable-4 ii libevent-pthreads-2.1-6 2.1.8-stable-4 ii libldap-2.4-22.4.47+dfsg-3 ii libldns2 1.7.0-4 ii libnspr4 2:4.20-1 ii libnss3 2:3.42.1-1 ii libnss3-tools2:3.42.1-1 ii libpam0g 1.3.1-5 ii libselinux1 2.8-1+b1 ii libsystemd0 241-5 ii libunbound8 1.9.0-2 ii systemd 241-5 Versions of packages libreswan recommends: ii python3 3.7.3-1 libreswan suggests no packages. -- Configuration Files: /etc/init.d/ipsec [Errno 2] No such file or directory: '/etc/init.d/ipsec' /etc/ipsec.conf changed [not included] /etc/ipsec.d/policies/block changed [not included] /etc/ipsec.d/policies/clear changed [not included] /etc/ipsec.d/policies/clear-or-private changed [not included] /etc/ipsec.d/policies/private changed [not included] /etc/ipsec.d/policies/private-or-clear changed [not included] /etc/ipsec.secrets changed [not included] -- no debconf information
Bug#739543: samba-common-bin: Samba 3.6.6 fails on net ads join with ERROR_DNS_INVALID_MESSAGE.
Package: samba-common-bin Version: 2:3.6.6-6+deb7u2 Severity: normal Dear Maintainer, Later versions of Samba 3 (3.6.22) available on the 'sernet' repository function as expected. The computer joins and creates a dns entry. Also the Samba 4 availble on backports works the same way. However this debian shipping version of Samba joins the domain but cannot create the DNS entry. -- System Information: Debian Release: 7.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages samba-common-bin depends on: ii dpkg 1.16.12 ii libc6 2.13-38+deb7u1 ii libcap2 1:2.22-1.2 ii libcomerr21.42.5-1.1 ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u1 ii libk5crypto3 1.10.1+dfsg-5+deb7u1 ii libkrb5-3 1.10.1+dfsg-5+deb7u1 ii libldap-2.4-2 2.4.31-1+nmu2 ii libpopt0 1.16-7 ii libreadline6 6.2+dfsg-0.1 ii libtalloc22.0.7+git20120207-1 ii libtdb1 1.2.10-2 ii libtinfo5 5.9-10 ii libuuid1 2.20.1-5.3 ii libwbclient0 2:3.6.6-6+deb7u2 ii samba-common 2:3.6.6-6+deb7u2 ii zlib1g1:1.2.7.dfsg-13 samba-common-bin recommends no packages. samba-common-bin suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628825: Further
I now know where my problem is coming from.
On upgrade without warning or comment the dpkg script slapd.preinst
inserts the following access rules into the new cn=config configuration
database in the dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by *
break
olcAccess: {1}to dn.exact= by * read
olcAccess: {2}to dn.base=cn=Subschema by * read
If if it's a live system and you depend on the default openldap access
rules ( * by * read ) this is a sudden and (imho rude) change. Obviously
tightening security is admirable, but some warning would be appreciated.
So the problem is not the conversion to 'cn=config' it's the debian package.
--
Ray
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628825: slapd: Failure to continue with authentication as configured.
Package: slapd Version: 2.4.23-7 Severity: important Firewalled system depending on anonymous bind to a local replicated copy of the ldap database. After update to squeeze that functionality is removed. No warning given, and no documentation on a simple way to restore it. Don't want to have passwords littered through configuration files. If you're going to enforce a funky new configuration mechanism. (cn=config) you can at least replicate the actual configuration. -- System Information: Debian Release: 6.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages slapd depends on: ii adduser 3.112+nmu2 add and remove users and groups ii coreutils 8.5-1GNU core utilities ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii libc6 2.11.2-10Embedded GNU C Library: Shared lib ii libdb4.84.8.30-2 Berkeley v4.8 Database Libraries [ ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries ii libltdl72.2.6b-2 A system independent dlopen wrappe ii libperl5.10 5.10.1-17shared Perl library ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra ii libslp1 1.2.1-7.8OpenSLP libraries ii libwrap07.6.q-19 Wietse Venema's TCP wrappers libra ii lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii perl [libmime-base64-pe 5.10.1-17Larry Wall's Practical Extraction ii psmisc 22.11-1 utilities that use the proc file s ii unixodbc2.2.14p2-1 ODBC tools libraries Versions of packages slapd recommends: ii libsasl2-modules 2.1.23.dfsg1-7 Cyrus SASL - pluggable authenticat Versions of packages slapd suggests: ii ldap-utils2.4.23-7 OpenLDAP utilities -- Configuration Files: /etc/default/slapd changed: SLAPD_USER=openldap SLAPD_GROUP=openldap SLAPD_PIDFILE= SLAPD_SERVICES=ldap:/// ldapi:/// SLAPD_SENTINEL_FILE=/etc/ldap/noslapd SLAPD_OPTIONS= -- debconf information: * slapd/password1: (password omitted) slapd/internal/adminpw: (password omitted) slapd/internal/generated_adminpw: (password omitted) * slapd/password2: (password omitted) slapd/password_mismatch: slapd/tlsciphersuite: slapd/invalid_config: true shared/organization: sea.mccscs.com slapd/upgrade_slapcat_failure: slapd/slurpd_obsolete: slapd/backend: HDB slapd/dump_database: when needed slapd/allow_ldap_v2: false slapd/no_configuration: false slapd/move_old_database: true slapd/suffix_change: false slapd/dump_database_destdir: /var/backups/slapd-VERSION slapd/purge_database: false slapd/domain: sea.mccscs.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#628825: slapd: Failure to continue with authentication as configured.
Sorry if I sound snarky. I am not much of a slapd expert. This thing's is a mail server. When I originally set it up I took a stock slapd.conf file and altered it to enable slurpd replication from my main ldap service. libnss-ldap, exim and dovecot didn't need to bind with a dn and password to retrieve relevant ldap information for authentication and whatnot. Now they do. The new configuration documentation does not have much about it that is easy to find. Used to be when a debian package was going to change significantly on the next version upgrade there was more hand holding in dpkg-configure dialogs and so on. Ray -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
