[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Mathieu Parent]

(Debian Maintainer here)

If no one comes with a good reason to have winbind listed before compat
(or before files) in nsswitch.conf, I'll add a mandatory check for this
during install or upgrade of libwbclient0 and libnss-winbind.

NB: Maybe this bug should be reopened as the proposed fix was later
reverted (#1677329) ?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

I have a zesty VM and /tmp is not even in a different mountpoint: it's
part of /. Did you partition your machine manually and mounted /tmp with
noexec?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

I have a zesty VM and /tmp is not even in a different mountpoint: it's
part of /. Did you partition your machine manually and mounted /tmp with
noexec?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Santiago Gala]

Note that when I updated Ubuntu 17.04 to the package referenced by this
bug, it gave an error during install, due to the fact that /tmp is
mounted as noexec in ubuntu 17.04:

Preconfiguring packages ...
Can't exec "/tmp/samba-common.config.YEmyIi": Permission denied at 
/usr/share/perl/5.24/IPC/Open3.pm line 178.
open2: exec of /tmp/samba-common.config.YEmyIi configure 
2:4.5.8+dfsg-0ubuntu0.17.04.4 failed: Permission denied at 
/usr/share/perl5/Debconf/ConfModule.pm line 59.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

Marking as incomplete because of comment #43

** Changed in: samba (Ubuntu)
   Status: Triaged => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

Reopened the artful (devel) task, as the patch was reverted in 2:4.5.8
+dfsg-2ubuntu2

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

Marking as incomplete because of comment #43

** Changed in: samba (Ubuntu)
   Status: Triaged => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

Revised fix-1584485.patch that includes a missing library in the static
build to fix bug #1677329. Patch submitted upstream to samba-technical
awaiting feedback.

** Patch added: "fix-1584485-take2.patch"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4914111/+files/fix-1584485-take2.patch

** Changed in: samba (Ubuntu)
   Status: Fix Released => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

Reopened the artful (devel) task, as the patch was reverted in 2:4.5.8
+dfsg-2ubuntu2

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

Revised fix-1584485.patch that includes a missing library in the static
build to fix bug #1677329. Patch submitted upstream to samba-technical
awaiting feedback.

** Patch added: "fix-1584485-take2.patch"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4914111/+files/fix-1584485-take2.patch

** Changed in: samba (Ubuntu)
   Status: Fix Released => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

The patch was reverted in artful, and will be reverted for the other
affected releases because of the regression it introduced: bug #1677329,
bug #1644428

Feedback from upstream was requested: https://lists.samba.org/archive
/samba-technical/2017-June/121139.html

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

The patch was reverted in artful, and will be reverted for the other
affected releases because of the regression it introduced: bug #1677329,
bug #1644428

Feedback from upstream was requested: https://lists.samba.org/archive
/samba-technical/2017-June/121139.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

I can confirm the problem reported originally in this bug (all those
segfaults after the upgrade) only happen if you have winbind listed
first, ahead of files or compat.

Any particular reason why that order was chosen? There will for sure be
a "blip" in the winbind service during the upgrade, and having the
system users fail to be resolved is bound to be catastrophic.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Andreas Hasenack]

I can confirm the problem reported originally in this bug (all those
segfaults after the upgrade) only happen if you have winbind listed
first, ahead of files or compat.

Any particular reason why that order was chosen? There will for sure be
a "blip" in the winbind service during the upgrade, and having the
system users fail to be resolved is bound to be catastrophic.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Launchpad Bug Tracker]

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.4

---
samba (2:4.3.11+dfsg-0ubuntu0.14.04.4) trusty-security; urgency=medium

  * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
- debian/patches/CVE-2016-2123.patch: check lengths in
  librpc/ndr/ndr_dnsp.c.
- CVE-2016-2123
  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
- debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
  source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
  source4/auth/gensec/gensec_gssapi.c.
- CVE-2016-2125
  * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
- debian/patches/CVE-2016-2126.patch: only allow known checksum types
  in auth/kerberos/kerberos_pac.c.
- CVE-2016-2126

 -- Marc Deslauriers   Mon, 12 Dec 2016
08:40:01 -0500

** Changed in: samba (Ubuntu Trusty)
   Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2123

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2125

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2126

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

The xenial package for libpam-winbind from -proposed is broken as well.
So I recommend stopping it before it gets to -updates (or whatever).

I will not check the package for yaketty, but I don't see why it should
be working when trusty and xenial are broken.

Is there anything I can do to help debugging the problem? Reverting the
patch 'fixes' my problem, but does not really solve the original issue.

Regards,
Robert Euhus

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/var/log/samba/log.wb-MYAD"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783094/+files/log.wb-MYAD

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/var/log/samba/log.winbindd"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783093/+files/log.winbindd

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

Here is the relevant part from auth.log, which imho has a misleading
error message.

** Attachment added: "/var/log/auth.log"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783092/+files/auth.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/etc/nsswitch.conf"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783062/+files/nsswitch.conf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

Our setup is the following:
- The ubuntu client is joined to a MS-AD-Domain (called 'MYAD' here)
- Users from the domain can log via winbind using their domain credentials
- Winbind is set up to use cached logins (which I think is irrelevant here)
- nsswitch uses compat first, winbind then

I will attach the corresponding config files.

Yours, Robert Euhus

** Attachment added: "Samba/Winbind config file /etc/samba/smb.conf"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783042/+files/smb.conf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/etc/pam.d/common-password"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783048/+files/common-password

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/etc/pam.d/common-session"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783046/+files/common-session

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/etc/pam.d/common-auth"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783044/+files/common-auth

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/etc/pam.d/common-account"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783045/+files/common-account

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

** Attachment added: "/etc/security/pam_winbind.conf"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783043/+files/pam_winbind.conf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robie Basak]

** Description changed:

  [Impact]
  
  * Upgrading samba when using winbind as NSS service can break OS.
  * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
  * Huge impact due to big version different between winbind and libraries.
  
- [Test Case]
+ [Test Case 1]
+ 
+ Verify that the regression reported in bug 1644428 has not recurred.
+ 
+ [Test Case 2]
  
  1) Start an ubuntu Trusty container
  2) cp /etc/apt/sources.list /etc/apt/sources.list.back
  3) Disable the trusty-updates and trusty-security archives in 
/etc/apt/sources.list
  4) sudo apt-get update
  5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
  6) Set /etc/nsswitch.conf to : passwd: winbind compat
  7) Restart the services
-7.1) sudo restart smbd
-7.2) sudo restart nmbd
-7.3) sudo restart winbind
+    7.1) sudo restart smbd
+    7.2) sudo restart nmbd
+    7.3) sudo restart winbind
  8) cp /etc/apt/sources.list.back /etc/apt/sources.list
  9) sudo apt-get update
  7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
  
  While installing, you will see things similar to this :
  
  > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over 
(2:4.1.6+dfsg-1ubuntu2) ...
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), 
core dumped
  > dpkg: error processing archive 
/var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb
 (-
  > -unpack):
  >  subprocess dpkg-deb --control returned error exit status 2
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), 
core dumped
  
  [Regression Potential]
  
  * "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
  * uninstalling packages and reinstalling would bypass this change
  
  [Other Info]
  
  * Original Bug Description:
  
  It was brought to my attention that, because of latest security fixes
  for samba:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
  
  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
  
  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).
  
  
  
  How to reproduce easily:
  
  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat
  
  (winbind is usually used after compat, in this case it was used before)
  
  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
  
  $ sudo apt-get update
  
  and FINALLY:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
  
  Leading into an unusable system in the following state:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
  
  ## state
  
  Workaround:
  
  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
  "pam-auth-update") before ANY attempt of upgrading samba to latest
  version.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

I have not had the time yet to check the libpam-winbind module in
xenial. But since the patch looks identical from the first look, You
might want to delay it's migration from -proposed until someone has
checked that the module is still working.

I'll try to find time for this tomorrow, but it's not my highest
priority, since we have migrated to sssd for xenial.

Regards,
Robert Euhus

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Martin Pitt]

Reopening for trusty as the change was reverted in bug 1644428.

** Changed in: samba (Ubuntu Trusty)
   Status: Fix Released => In Progress

** Tags removed: verification-done-trusty
** Tags added: verification-failed

** Tags removed: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Jorge Niedbalski]

@euhus-liste1, @ian-gordon,

- Could you please describe the error that you are experiencing (provide
logs, your configuration, etc) in order to replicate the issue?

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Robert Euhus]

Hello,

this change breaks PAM authentification via libpam-winbind completely in
trusty. I have just checked it with a fresh install.

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1644428

Have you tried using libpam-winbind after making this change?

Regards,
Robert Euhus

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Ian Gordon]

With version 2:4.3.11+dfsg-0ubuntu0.14.04.2 installed libpam-winbind no longer 
talks to winbind
This means all authentication which involves PAM is failing for us. I have 
reverted to 2:4.3.11+dfsg-0ubuntu0.14.04.1 temporarily.

Is there anything I can do to help you debug this problem?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Launchpad Bug Tracker]

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.2

---
samba (2:4.3.11+dfsg-0ubuntu0.14.04.2) trusty; urgency=medium

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
   to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski   Wed, 09 Nov 2016
15:09:11 +0100

** Changed in: samba (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Jorge Niedbalski]

OK, I have verified that the trusty-proposed version fixes the reported
issue.

The steps ran for verification:

1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in 
/etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
   7.1) sudo restart smbd
   7.2) sudo restart nmbd
   7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind


The segmentation fault mentioned before is not experience,
Also with the patch applied:
root@samba:~# ldd /lib/x86_64-linux-gnu/security/pam_winbind.so
 linux-vdso.so.1 => (0x7ffe0bdaf000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x7fb246748000)
 libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x7fb246539000)
 libtalloc.so.2 => /usr/lib/x86_64-linux-gnu/libtalloc.so.2 (0x7fb24632c000)
 libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x7fb24611e000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fb245d59000)
 /lib64/ld-linux-x86-64.so.2 (0x55695ab59000)
 libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x7fb245b34000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fb24593)

root@samba:~# ldd /lib/x86_64-linux-gnu/libnss_winbind.so.2
 linux-vdso.so.1 => (0x7fffe9195000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x7fd3e84f7000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fd3e8132000)
 /lib64/ld-linux-x86-64.so.2 (0x563f59046000)


** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Martin Pitt]

Hello Rafael, or anyone else affected,

Accepted samba into trusty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-
0ubuntu0.14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: samba (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Martin Pitt]

Hello Rafael, or anyone else affected,

Accepted samba into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-
0ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: samba (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Martin Pitt]

Hello Rafael, or anyone else affected,

Accepted samba into yakkety-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/samba/2:4.4.5+dfsg-
2ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: samba (Ubuntu Yakkety)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Launchpad Bug Tracker]

This bug was fixed in the package samba - 2:4.4.5+dfsg-2ubuntu6

---
samba (2:4.4.5+dfsg-2ubuntu6) zesty; urgency=high

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski   Wed, 02 Nov 2016
13:59:10 +0100

** Changed in: samba (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Bug Watch Updater]

** Changed in: samba (Debian)
   Status: Unknown => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Martin Pitt]

** Also affects: samba (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Jorge Niedbalski]

** Patch added: "Xenial Patch for 1584485"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4763313/+files/fix-1584485-xenial.debdiff

** Patch removed: "trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669815/+files/trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff

** Patch removed: "wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669816/+files/wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff

** Patch removed: "xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669817/+files/xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff

** Patch removed: "yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669818/+files/yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Jorge Niedbalski]

** No longer affects: samba (Ubuntu Precise)

** Changed in: samba (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: samba (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: samba (Ubuntu Xenial)
 Assignee: (unassigned) => Jorge Niedbalski (niedbalski)

** Patch added: "Yakkety Patch for 1584485"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4763305/+files/fix-1584485-yakkety.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Jorge Niedbalski]

Hello,

I've modified the building scripts for compiling libnss-winbind and
libpam-winbind statically against the samba-libs as was suggested by
@infinity.

This fix seems to resolve the issue reported on this bug, and the reproducer is 
not
longer experienced. 

With the patch applied:

root@samba:~# ldd /lib/x86_64-linux-gnu/security/pam_winbind.so
linux-vdso.so.1 =>  (0x7ffe0bdaf000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x7fb246748000)
libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x7fb246539000)
libtalloc.so.2 => /usr/lib/x86_64-linux-gnu/libtalloc.so.2 
(0x7fb24632c000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x7fb24611e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fb245d59000)
/lib64/ld-linux-x86-64.so.2 (0x55695ab59000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 
(0x7fb245b34000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fb24593)

root@samba:~# ldd /lib/x86_64-linux-gnu/libnss_winbind.so.2
linux-vdso.so.1 =>  (0x7fffe9195000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x7fd3e84f7000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fd3e8132000)
/lib64/ld-linux-x86-64.so.2 (0x563f59046000)


** Patch added: "Trusty Patch"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4762628/+files/fix-1584485-trusty.debdiff

** Changed in: samba (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: samba (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: samba (Ubuntu Trusty)
 Assignee: (unassigned) => Jorge Niedbalski (niedbalski)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Louis Bouchard]

** Also affects: samba (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: samba (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: samba (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: samba (Ubuntu Yakkety)
   Importance: High
 Assignee: Jorge Niedbalski (niedbalski)
   Status: In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Jorge Niedbalski]

** Description changed:

  [Impact]
  
  * Upgrading samba when using winbind as NSS service can break OS.
  * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
  * Huge impact due to big version different between winbind and libraries.
  
  [Test Case]
  
- * Comment #1 (to upgrade samba)
+ 1) Start an ubuntu Trusty container
+ 2) cp /etc/apt/sources.list /etc/apt/sources.list.back
+ 3) Disable the trusty-updates and trusty-security archives in 
/etc/apt/sources.list
+ 4) sudo apt-get update
+ 5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
+ 6) Set /etc/nsswitch.conf to : passwd: winbind compat
+ 7) Restart the services
+7.1) sudo restart smbd
+7.2) sudo restart nmbd
+7.3) sudo restart winbind
+ 8) cp /etc/apt/sources.list.back /etc/apt/sources.list
+ 9) sudo apt-get update
+ 7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
+ 
+ While installing, you will see things similar to this :
+ 
+ > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over 
(2:4.1.6+dfsg-1ubuntu2) ...
+ > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), 
core dumped
+ > dpkg: error processing archive 
/var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb
 (-
+ > -unpack):
+ >  subprocess dpkg-deb --control returned error exit status 2
+ > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), 
core dumped
  
  [Regression Potential]
  
  * "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
  * uninstalling packages and reinstalling would bypass this change
  
  [Other Info]
  
  * Original Bug Description:
  
  It was brought to my attention that, because of latest security fixes
  for samba:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
  
  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
  
  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).
  
  
  
  How to reproduce easily:
  
  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat
  
  (winbind is usually used after compat, in this case it was used before)
  
  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
  
  $ sudo apt-get update
  
  and FINALLY:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
  
  Leading into an unusable system in the following state:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
  
  ## state
  
  Workaround:
  
  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
  "pam-auth-update") before ANY attempt of upgrading samba to latest
  version.

** Changed in: samba (Ubuntu)
 Assignee: Louis Bouchard (louis-bouchard) => Jorge Niedbalski (niedbalski)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Eric Desrochers]

Debian Bug :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287

** Bug watch added: Debian Bug tracker #833287
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Louis Bouchard]

** Changed in: samba (Ubuntu)
 Assignee: Rafael David Tinoco (inaddy) => Louis Bouchard (louis-bouchard)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Michael Hudson-Doyle]

Unsubscribing sponsors until a more viable approach appears. Good luck!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

[12:50]  tinoco: The "disable in samba-libs preinst, reenable in 
samba-libs postinst" approach would also work, but it's (a) potentially very 
brittle, and (b) likely next to impossible to do for pam-winbind (which 
probably suffers the same issue as nss-winbind).
[12:51]  infinity: my hope was that pam-auth-update (or any other mean) 
could remove/re-add winbind to nsswitch
[12:51]  but then.. if customer had a taylor made change of 
nsswitch.conf.. it would be no good
[12:51]  other choice would be to remove.. but then, if user doing the 
installation was coming from NSS
[12:51]  things would go bad also
[12:52]  tinoco: Right, nsswitch isn't too hard, but /etc/pam.d/* is 
an order of magnitude worse.
[12:52]  just like you said before
[12:52]  infinity: definitely
[12:52]  i think statically compiling it for now is the best approach
[12:52]  only way without dealing with infinitive possibilities coming 
from pam.d/nss

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

[12:43]  tinoco: pam-winbind and nss-winbind.
[12:43]  tinoco: perhaps file a debian bug also?
[12:44]  definitely. the proposal was to bring the discussion only
[12:44]  tinoco: Only statically linked to samba-libs, of course.  
You still want to be dynamically linked to any properly-versioned system libs 
(like libc).
[12:44]  i wasn't supper happy about the approach either
[12:44]  infinity: definitely. gotcha
[12:44]  i'll work on it and provide a new sru suggestion
[12:44]  tks!
[12:45]  tinoco: But yes, in the absence of properly-versioned samba 
libs, I don't see a better solution.
[12:45]  infinity: yep, me neither. there would be always a time window 
for things to go bad
[12:45]  tinoco: The best solution would be for upstream to properly 
version all those little libs in samba-libs, and then break them out into 
individual packages.
[12:45]  tinoco: But I don't see that happening any time soon, if 
ever.
[12:46]  ok. i'll document this for future reference (if they ever go 
that way)
[12:46]  and will fix it on debian also
[12:46]  tks infinity

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Marc Deslauriers]

I don't believe the debdiffs provide a valid solution to this issue.
Here is an irc discussion with infinity where he presented a better
solution:

 infinity: I'd appreciate your thoughts on the best way to address 
bug 1584485
 infinity: that approach doesn't look sane to me, do you have any 
suggestions for something better?
 mdeslaur: The proposed fix is certainly not reasonable.  I'll ponder 
the problem over breakfast.
 mdeslaur: Is it a question of ABI breaks, or ABI additions?  It seems the real 
issue is bad dependencies between libnss-winbind and its deps.
 Oh, because samba-libs is a big blob os libraries that shouldn't be 
packaged together.
 Whee.
 infinity: if the abi changes, running processes die because they're 
running with the old version of libnss-winbind
 infinity: I guess abi additions should be fine, but I'm not sure how careful 
samba preserves abi between versions
 mdeslaur: Running processes should be fine, it's new processes that 
explode miserably.  (Well, or running processes calling into NSS anew, but 
that's still "new", from my POV)
 mdeslaur: But yeah, the problem is clearly a lack of sane ABI 
versioning on "samba-libs" and, thus, incorrectly weak deps between 
libnss-winbind and samba-libs.
 mdeslaur: Doesn't look like something one can properly fix in an SRU, since 
the fix is to actually version the *#^)! libraries correctly.
 oh, right, new processes in that specific case
 mdeslaur: But having samba-libs Break libnss-winbind << 
Binary-Version, and disable/reenable winbind on preinst/postinst would "work".  
Though, gross.
 I thought I saw a bug where existing processes were crashing because 
of an incompatibility with a newer winbind service
 Existing processes will also explode if they call into NSS fresh, 
NSS is effectively a dlopen().
 But yeah, I consider dlopen "new processes" from the POV of hunting 
library ABI issues. :P
 Otherwise my head hurts.
 Anyhow, any solution that halts upgrade with "we notice you have 
packages installed and you're actually using them correctly; please stop using 
them" is not sane.
 If it can be automated to disable/reenable, that's vaguely okay, though if 
their setup relies on winbind resolution working, there's a gap there where the 
world sucks.
 But better that than crashing, I suppose.
 infinity: but what happens when an existing process is running with 
an old libnss-winbind, and the windbind package gets upgraded to a version that 
is not compatible with the old libnss-winbind?
 perhaps that's not a problematic scenario
 mdeslaur: After taking a walk, it occurs to me that in the absence 
of proper library versioning, the more robust solution might just be for 
nss-winbind and pam-winbind to be statically linked to samba-libs.
 mdeslaur: That would eliminate the problem, and have the added bonus of not 
having to pull in a massive samba-libs package just for the small bits that the 
nss/pam plugins need.
 hrm, that does sound reasonable

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Marc Deslauriers]

This isn't a security regression, it's a samba package upgrade issue
that also applies for regular updates. I believe this should be handled
as a SRU.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Sebastien Bacher]

unsubscribing the normal sponsors since that should go through security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Mathew Hodson]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

** Changed in: samba (Ubuntu)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

** Patch added: "wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669816/+files/wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

** Patch added: "trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669815/+files/trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

** Patch added: "yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669818/+files/yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff

** Description changed:

+ [Impact]
+ 
+ * Upgrading samba when using winbind as NSS can lead to loosing OS.
+ * Probable not noticed if "compat" is BEFORE "winbind" in nsswitch.conf.
+ * Huge impact due to big version different between winbind and libraries.
+ 
+ [Test Case]
+ 
+ * Comment #1 (to upgrade samba)
+ 
+ [Regression Potential]
+ 
+ * "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
+ * uninstalling packages and reinstalling would bypass this change
+ 
+ [Other Info]
+ 
+ * Original Bug Description:
+ 
  It was brought to my attention that, because of latest security fixes
  for samba:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
  
  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
  
  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).
  
  
  
  How to reproduce easily:
  
  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat
  
  (winbind is usually used after compat, in this case it was used before)
  
  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
  
  $ sudo apt-get update
  
  and FINALLY:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
  
  Leading into an unusable system in the following state:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
  
  ## state
  
  Workaround:
  
  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
  "pam-auth-update") before ANY attempt of upgrading samba to latest
  version.

** Tags added: sts

** Description changed:

  [Impact]
  
- * Upgrading samba when using winbind as NSS can lead to loosing OS.
- * Probable not noticed if "compat" is BEFORE "winbind" in nsswitch.conf.
+ * Upgrading samba when using winbind as NSS service can break OS.
+ * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
  * Huge impact due to big version different between winbind and libraries.
  
  [Test Case]
  
  * Comment #1 (to upgrade samba)
  
  [Regression Potential]
  
  * "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
  * uninstalling packages and reinstalling would bypass this change
  
  [Other Info]
  
  * Original Bug Description:
  
  It was brought to my attention that, because of latest security fixes
  for samba:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
  
  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
  
  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).
  
  
  
  How to reproduce easily:
  
  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat
  
  (winbind is usually used after compat, in this case it was used before)
  
  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
  
  $ sudo apt-get update
  
  and FINALLY:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
  
  Leading into an unusable system in the following state:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
  
  ## state
  
  Workaround:
  
  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
  "pam-auth-update") before ANY attempt of upgrading samba to latest
  version.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

** Patch added: "xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669817/+files/xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

According to document:

https://wiki.debian.org/MaintainerScripts

I added constrains on letting upgrade to happen for:

libnss-winbind
libpam-winbind
libwbclient0
samba-dsdb-modules
samba-libs
samba
winbind

When winbind is enabled in either /etc/nsswitch.conf or in /etc/pam.d/*
files.

So, whenever trying to upgrade samba you will get something like:



Do you want to continue? [Y/n] y
(Reading database ... 115473 files and directories currently installed.)
Preparing to unpack 
.../libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.2~lp1584485~4_amd64.deb ...

Warning:

You have winbind configured in either NSS (/etc/nsswitch.conf)
or in PAM (/etc/pam.d/*). Before proceeding with the
installation, or upgrade, make sure to disable winbind!

dpkg: error processing archive 
/var/cache/apt/archives/libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.2~lp1584485~4_amd64.deb
 (--unpack):
 subprocess new pre-installation script returned error exit status 1
dpkg: error while cleaning up:
 subprocess new post-removal script returned error exit status 1



That will save you from crashing your system because of NSS being
broken.

Attaching debdiffs...

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

$  sudo apt-get --only-upgrade install samba
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libhdb9-heimdal libkdc2-heimdal libntdb1 python-ntdb
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
  python-ldb python-samba python-tdb samba-common samba-common-bin
  samba-dsdb-modules samba-libs samba-vfs-modules winbind
Suggested packages:
  bind9 bind9utils ldb-tools smbldap-tools heimdal-clients
The following packages will be upgraded:
  libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
  python-ldb python-samba python-tdb samba samba-common samba-common-bin
  samba-dsdb-modules samba-libs samba-vfs-modules winbind
16 upgraded, 0 newly installed, 0 to remove and 219 not upgraded.
Need to get 8,877 kB of archives.
After this operation, 5,632 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-ldb amd64 
1:1.1.24-0ubuntu0.14.04.1 [29.2 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-tdb amd64 
1.3.8-0ubuntu0.14.04.1 [10.8 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtdb1 amd64 
1.3.8-0ubuntu0.14.04.1 [38.3 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtevent0 amd64 
0.9.28-0ubuntu0.14.04.1 [26.2 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main 
samba-dsdb-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [219 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe 
libnss-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [12.6 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe 
libpam-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [28.2 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main winbind amd64 
2:4.3.9+dfsg-0ubuntu0.14.04.1 [411 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libwbclient0 
amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [30.8 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba amd64 
2:4.3.9+dfsg-0ubuntu0.14.04.1 [903 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main 
samba-common-bin amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [508 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common 
all 2:4.3.9+dfsg-0ubuntu0.14.04.1 [82.9 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-samba 
amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [1,068 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main 
samba-vfs-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [259 kB]
Get:15 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-libs 
amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [5,144 kB]
Get:16 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libldb1 amd64 
1:1.1.24-0ubuntu0.14.04.1 [107 kB]
Fetched 8,877 kB in 14s (594 kB/s)
Preconfiguring packages ...
(Reading database ... 115393 files and directories currently installed.)
Preparing to unpack .../python-ldb_1%3a1.1.24-0ubuntu0.14.04.1_amd64.deb ...
Unpacking python-ldb (1:1.1.24-0ubuntu0.14.04.1) over (1:1.1.16-1ubuntu0.1) ...
Preparing to unpack .../python-tdb_1.3.8-0ubuntu0.14.04.1_amd64.deb ...
Unpacking python-tdb (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ...
Preparing to unpack .../libtdb1_1.3.8-0ubuntu0.14.04.1_amd64.deb ...
Unpacking libtdb1:amd64 (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ...
Preparing to unpack .../libtevent0_0.9.28-0ubuntu0.14.04.1_amd64.deb ...
Unpacking libtevent0:amd64 (0.9.28-0ubuntu0.14.04.1) over (0.9.19-1) ...
Preparing to unpack 
.../samba-dsdb-modules_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ...
Unpacking samba-dsdb-modules (2:4.3.9+dfsg-0ubuntu0.14.04.1) over 
(2:4.1.6+dfsg-1ubuntu2.14.04.13) ...
Preparing to unpack 
.../libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ...
Unpacking libnss-winbind:amd64 (2:4.3.9+dfsg-0ubuntu0.14.04.1) over 
(2:4.1.6+dfsg-1ubuntu2.14.04.13) ...
dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core 
dumped
dpkg: error processing archive 
/var/cache/apt/archives/libpam-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb
 (--unpack):
 subprocess dpkg-deb --control returned error exit status 2
dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core 
dumped
dpkg: error processing archive 
/var/cache/apt/archives/winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb 
(--unpack):
 subprocess dpkg-deb --control returned error exit status 2
dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core 
dumped
dpkg: error processing archive 
/var/cache/apt/archives/libwbclient0_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb 
(--unpack):
 subprocess dpkg-deb --control returned error exit status 2
dpkg-deb: error: subprocess tar was killed by signal 

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

After upgrade process fails, all programs executing libc functions
depending on NSS will fail:



inaddy@workstation:~/bugs/winbindsegfault/crashes$ ls -ltr 
total 1024 
-rw--- 1 inaddy inaddy 52309 May 21 20:06 winbind.0.crash 
-rw--- 1 inaddy inaddy 52717 May 21 20:06 libwbclient0.0.crash 
-rw--- 1 inaddy inaddy 52094 May 21 20:06 libpam-winbind.0.crash 
-rw-r- 1 inaddy inaddy 75007 May 21 20:06 _bin_tar.0.crash 
-rw--- 1 inaddy inaddy 516096 May 21 20:06 core 
-rw-r- 1 inaddy inaddy 73918 May 21 20:06 _bin_ls.1107.crash 
-rw-r- 1 inaddy inaddy 73430 May 21 20:06 _bin_tar.1107.crash 
-rw-r- 1 inaddy inaddy 40434 May 21 20:06 
_usr_lib_openssh_sftp-server.1107.crash 
-rw-r- 1 inaddy inaddy 41838 May 21 20:07 _usr_bin_scp.1107.crash 
-rw-r- 1 inaddy inaddy 56520 May 21 20:07 _bin_ps.1107.crash 



(gdb) bt
#0  0x768b8b80 in __pthread_initialize_minimal_internal () from 
/lib/x86_64-linux-gnu/libpthread.so.0
#1  0x768b7539 in _init () from /lib/x86_64-linux-gnu/libpthread.so.0
#2  0x76ad0d48 in ?? () from /lib/x86_64-linux-gnu/libnss_compat.so.2
#3  0x77dea0cd in call_init (l=0x6248c0, argc=argc@entry=4, 
argv=argv@entry=0x7fffe428, env=env@entry=0x7fffe450) at dl-init.c:64
#4  0x77dea215 in call_init (env=0x7fffe450, argv=0x7fffe428, 
argc=4, l=) at dl-init.c:36
#5  _dl_init (main_map=main_map@entry=0x624d70, argc=4, argv=0x7fffe428, 
env=0x7fffe450) at dl-init.c:93
#6  0x77deec40 in dl_open_worker (a=a@entry=0x7fffd7d8) at 
dl-open.c:577
#7  0x77de9fc4 in _dl_catch_error 
(objname=objname@entry=0x7fffd7c8, errstring=errstring@entry=0x7fffd7d0,
mallocedp=mallocedp@entry=0x7fffd7c0, 
operate=operate@entry=0x77dee970 , 
args=args@entry=0x7fffd7d8)
at dl-error.c:187
#8  0x77dee38b in _dl_open (file=0x7fffda20 "libnss_compat.so.2", 
mode=-2147483647, caller_dlopen=, nsid=-2, argc=4,
argv=0x7fffe428, env=0x7fffe450) at dl-open.c:661
#9  0x7771fe92 in do_dlopen (ptr=ptr@entry=0x7fffd9f0) at 
dl-libc.c:87
#10 0x77de9fc4 in _dl_catch_error (objname=0x7fffd9d0, 
errstring=0x7fffd9e0, mallocedp=0x7fffd9c0,
operate=0x7771fe50 , args=0x7fffd9f0) at dl-error.c:187
#11 0x7771ff52 in dlerror_run (args=0x7fffd9f0, 
operate=0x7771fe50 ) at dl-libc.c:46
#12 __GI___libc_dlopen_mode (name=name@entry=0x7fffda20 
"libnss_compat.so.2", mode=mode@entry=-2147483647) at dl-libc.c:163
#13 0x7770747d in nss_load_library (ni=0x623b60, ni=0x623b60) at 
nsswitch.c:399
#14 __GI___nss_lookup_function (ni=0x623b60, 
fct_name=fct_name@entry=0x7776810a "getpwuid_r") at nsswitch.c:507
#15 0x777076b5 in __GI___nss_lookup (ni=ni@entry=0x7fffdae0, 
fct_name=fct_name@entry=0x7776810a "getpwuid_r",
fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0x7fffdaf0) at 
nsswitch.c:239
#16 0x77708280 in __GI___nss_passwd_lookup2 
(ni=ni@entry=0x7fffdae0, fct_name=fct_name@entry=0x7776810a 
"getpwuid_r",
fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0x7fffdaf0) at 
XXX-lookup.c:75
#17 0x776aa428 in __getpwuid_r (uid=uid@entry=0, 
resbuf=resbuf@entry=0x779ab280 , buffer=0x623410 "", 
buflen=1024,
result=result@entry=0x7fffdb40) at ../nss/getXXbyYY_r.c:205
#18 0x776a9ba6 in getpwuid (uid=0) at ../nss/getXXbyYY.c:116
#19 0x0040c9fd in ?? ()
#20 0x0040624d in ?? ()
#21 0x00408b19 in ?? ()
#22 0x00403448 in ?? ()
#23 0x7760bf45 in __libc_start_main (main=0x4028c0, argc=4, 
argv=0x7fffe428, init=, fini=,
rtld_fini=, stack_end=0x7fffe418) at libc-start.c:287
#24 0x004048b9 in ?? ()



root@winbindsegfault:~/trusty/samba-4.3.9+dfsg$ ldd  
/lib/x86_64-linux-gnu/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2: 
/usr/lib/x86_64-linux-gnu/samba/libwinbind-client.so.0: version 
`SAMBA_4.3.9_UBUNTU' not found (required by 
/lib/x86_64-linux-gnu/libnss_winbind.so.2)
linux-vdso.so.1 =>  (0x7ffc271e8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x7fbdf428)
libwinbind-client.so.0 => 
/usr/lib/x86_64-linux-gnu/samba/libwinbind-client.so.0 (0x7fbdf4078000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fbdf3cb)
/lib64/ld-linux-x86-64.so.2 (0x7fbdf46c)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

A mechanism to remove winbind from /etc/nsswitch.conf before samba
upgrades (since libnss-winbind is kept apart from packages "samba" and
"samba-libs"), OR to fail the upgrade if winbind is being used, should
exist to prevent such a bad thing to happen.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

[Rafael David Tinoco]

## state

inaddy@winbindsegfault:~$ dpkg -l | grep -i samba
iU  libnss-winbind:amd64   
2:4.3.9+dfsg-0ubuntu0.14.04.1amd64Samba nameservice integration 
plugins
ii  libwbclient0:amd64 
2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64Samba winbind client library
ii  python-samba   
2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64Python bindings for Samba
ii  samba  
2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64SMB/CIFS file, print, and 
login server for Unix
ii  samba-common   
2:4.1.6+dfsg-1ubuntu2.14.04.13   all  common files used by both the 
Samba server and client
ii  samba-common-bin   
2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64Samba common files used by 
both the server and the client
iU  samba-dsdb-modules 
2:4.3.9+dfsg-0ubuntu0.14.04.1amd64Samba Directory Services 
Database
ii  samba-libs:amd64   
2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64Samba core libraries
ii  samba-vfs-modules  
2:4.1.6+dfsg-1ubuntu2.14.04.13   amd64Samba Virtual FileSystem 
plugins

** Description changed:

  It was brought to my attention that, because of latest security fixes
  for samba:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
  
  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
  
  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).
  
  
  
  How to reproduce easily:
  
  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat
  
  (winbind is usually used after compat, in this case it was used before)
  
  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
  
  $ sudo apt-get update
  
  and FINALLY:
  
- """
- 
- """
+ https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
  
  Leading into an unusable system in the following state:
  
+ https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
+ 
  ## state
- 
  
  Workaround:
  
  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
  "pam-auth-update") before ANY attempt of upgrading samba to latest
  version.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs