Bug#1130068: should not recommend libnss-winbind/libpam-winbind
On Sun, Mar 08, 2026 at 12:38:59PM +0300, Michael Tokarev wrote: > However, I'm not at all sure about nss-winbind. I just don't > know if AD-DC uses it or not. I've run Samba 4 DCs basically since the alpha stage and never used nss-winbind, so I don't think they're essential by any means, at least. > I don't know if it's possible to address this in trixie (definitely not > in the upcoming 13.4 release as it will happen next week already). But > I'll fix this for forky at least. Yeah, sorry for not catching it before trixie release. :-) /* Steinar */ -- Homepage: https://www.sesse.net/
Bug#1130068: should not recommend libnss-winbind/libpam-winbind
Control: severity -1 important Control: tag -1 + confirmed On 08.03.2026 11:15, Steinar H. Gunderson wrote: Package: samba-ad-dc Version: 2:4.22.6+dfsg-0+deb13u1 Severity: normal Hi, If you do as the trixie release notes say, and “apt install samba-ad-dc” on your DC upgrade, you will (more or less silently) get libnss-winbind and libpam-winbind on your DC. This means that by default (i.e., unless you add some extra restrictions somewhere), every user on your domain can log into your DC. Actually this is worse. When splitting up samba-ad-dc out of samba, besides the release notes, I also added Recommends: samba-ad-dc to the samba package, - in a hope that for those who used samba with DC functionality, no extra package installation will be required (and it works). However, as you correctly noted, samba-ad-dc recommends libpam-winbind and libnss-winbind - which means that now, everyone who used to have samba installed for any reason, pam+nss winbind modules are installed *too*. And this leads to somewhat unusual password prompts, strange error messages when password is incorrect, and so on. All these are cosmetics, but the problem is actually much deeper, as you noted above. I never thought about it all this way. And yes, you're right, pam-winbind isn't needed for ad-dc in any way. However, I'm not at all sure about nss-winbind. I just don't know if AD-DC uses it or not. This is an unusual configuration; pretty much every DC I've seen is set up separated from normal users for security reasons. And given that the main samba package does _not_ have such a Recommends (winbind itself has a Suggests, which sounds like the right thing to me), I'm not sure why samba-ad-dc specifically would have it? It doesn't seem to fit with what Recommends generally means in Policy (“The Recommends field should list packages that would be found together with this one in all but unusual installations”; I would assume _installing_ them is the unusual setup). Of course you can install them and then set up e.g. group ACLs in sshd_config, but it's not obvious to me why this should be the default setup. I must admit I don't even understand why winbind is needed to run a DC, but I'm sure there is some internal Samba reason, given that it is a Depends. :-) This is another very good question. I don't know. And this is more about documentation, or lack thereof. It would be excellent to have some comments from the samba team on the matter, - I'll ask there. I don't know if it's possible to address this in trixie (definitely not in the upcoming 13.4 release as it will happen next week already). But I'll fix this for forky at least. Thanks, /mjt
Bug#1130068: should not recommend libnss-winbind/libpam-winbind
Package: samba-ad-dc Version: 2:4.22.6+dfsg-0+deb13u1 Severity: normal Hi, If you do as the trixie release notes say, and “apt install samba-ad-dc” on your DC upgrade, you will (more or less silently) get libnss-winbind and libpam-winbind on your DC. This means that by default (i.e., unless you add some extra restrictions somewhere), every user on your domain can log into your DC. This is an unusual configuration; pretty much every DC I've seen is set up separated from normal users for security reasons. And given that the main samba package does _not_ have such a Recommends (winbind itself has a Suggests, which sounds like the right thing to me), I'm not sure why samba-ad-dc specifically would have it? It doesn't seem to fit with what Recommends generally means in Policy (“The Recommends field should list packages that would be found together with this one in all but unusual installations”; I would assume _installing_ them is the unusual setup). Of course you can install them and then set up e.g. group ACLs in sshd_config, but it's not obvious to me why this should be the default setup. I must admit I don't even understand why winbind is needed to run a DC, but I'm sure there is some internal Samba reason, given that it is a Depends. :-) -- System Information: Debian Release: 13.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.18.2 (SMP w/56 CPU threads; PREEMPT) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages samba-ad-dc depends on: ii init-system-helpers 1.69~deb13u1 ii libbsd0 0.12.2-2 ii libc62.41-12+deb13u2 pn libldb2 ii libpopt0 1.19+dfsg-2 ii libtalloc2 2:2.4.3+samba4.22.8+dfsg-0+deb13u1 pn libtevent0t64 ii python3 3.13.5-1 pn python3-dnspython pn python3-samba pn samba pn samba-dsdb-modules pn samba-libs pn winbind Versions of packages samba-ad-dc recommends: pn libnss-winbind pn libpam-winbind ii python3-gpg 1.24.2-3 pn samba-ad-provision Versions of packages samba-ad-dc suggests: pn bind9 pn bind9utils pn ldb-tools ii ntpsec [time-daemon] 1.2.3+dfsg1-8
