Public bug reported:
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130068
If you apt install samba-ad-dc with the intent of provisioning a samba
Active Directory Controller, like the ubuntu documentation says[1] for
example, you will also get libpam-winbind and libnss-winbind, as these
are Recommends[2]:
Package: samba-ad-dc
...
Recommends: libnss-winbind, libpam-winbind,
These packages provide the glue to authenticate (pam) and obtain user
information (nss) of Active Directory users and groups. That is unlikely
to be wanted for an Active Directory server: it's unlikely that such a
server would allow regular users to login. Such a system is very
critical, sensitive, and should not just allow all of the users it is
managing in its databases to login.
It's also not recommended that an AD server be used as a file server[3]
(in which case libnss-winbind at least would be necessary). It would be
similar to allow users to login on Kerberos servers (KDC), or LDAP
servers.
Therefore, this bug is to request removal of these Recommends from the
bin:samba-ad-dc package.
In terms of impact, this of course needs a release notes entry.
Regarding functionality of the AD/DC installation, the autopkgtests from
src:samba already exercise AD/DC without these two packages, because
Recommends are not installed by default for autopkgtest dependencies,
and d/t/control does not mention lib{pam,nss}-winbind[6]:
Tests: samba-ad-dc-provisioning-internal-dns
Depends: samba-ad-dc, samba-ad-provision, smbclient, krb5-user, bind9-dnsutils,
lxd | snapd, lsb-release, dctrl-tools, dpkg-dev
Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed
Architecture: !i386
Here is link direct to the test log part where the test dependencies are
being installed, and we can see that samba-dc-dc is being installed, but
not lib{pam,nss}-winbind[4].
The DEP8 specification[5] also mentions that the special name
@recommends@ should be used if we want to have the Recommends packages
installed automatically.
1.
https://ubuntu.com/server/docs/how-to/samba/provision-samba-ad-controller/#installation
2. https://git.launchpad.net/ubuntu/+source/samba/tree/debian/control#n207
(canonical VPN required for now)
3.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_(Optional)
4.
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/amd64/s/samba/20260317_230407_19312@/log.gz#:~:text=state%20information...%0A2237s-,Solving,-dependencies...%0A2237s%20The
5.
https://salsa.debian.org/ci-team/autopkgtest/raw/master/doc/README.package-tests.rst#:~:text=via%0A%20%20%20%20build%20dependencies.%0A%0A%20%20%20%20%60%60%40-,recommends,-%40%60%60%20stands%20for%20all
6. https://git.launchpad.net/ubuntu/+source/samba/tree/debian/tests/control#n44
(canonical VPN required for now)
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130068
If you apt install samba-ad-dc with the intent of provisioning a samba
Active Directory Controller, like the ubuntu documentation says[1] for
example, you will also get libpam-winbind and libnss-winbind, as these
are Recommends[2]:
Package: samba-ad-dc
...
Recommends: libnss-winbind, libpam-winbind,
These packages provide the glue to authenticate (pam) and obtain user
information (nss) of Active Directory users and groups. That is unlikely
to be wanted for an Active Directory server: it's unlikely that such a
server would allow regular users to login.
It's also not recommended that an AD server be used as a file server[3]
(in which case libnss-winbind at least would be necessary). It would be
similar to allow users to login on Kerberos servers (KDC), or LDAP
servers.
Therefore, this bug is to request removal of these Recommends from the
bin:samba-ad-dc package.
In terms of impact, this of course needs a release notes entry.
Regarding functionality of the AD/DC installation, the autopkgtests from
src:samba already exercise AD/DC without these two packages, because
Recommends are not installed by default for autopkgtest dependencies.
+
+
+ 1.
https://ubuntu.com/server/docs/how-to/samba/provision-samba-ad-controller/#installation
+ 2. https://git.launchpad.net/ubuntu/+source/samba/tree/debian/control#n207
(canonical VPN required for now)
+ 3.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_(Optional)
** Summary changed:
- samba-ad-dc should not recommend libpam-winbind/libnss-winbind
+ [FFe] samba-ad-dc should not recommend libpam-winbind/libnss-winbind
** Description changed:
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130068
If you apt install samba-ad-dc with the intent of provisioning a samba
Active Directory Controller, like the ubuntu documentation says[1] for
example, you will also get libpam-winbind and libnss-winbind, as these
are Recommends[2]:
Package: samba-ad-dc
...
Recommends: libnss-winbind, libpam-winbind,
These packages provide the glue to authenticate (pam) and obtain user
information (nss) of Active Directory users and groups. That is unlikely
to be wanted for an Active Directory server: it's unlikely that such a
server would allow regular users to login.
It's also not recommended that an AD server be used as a file server[3]
(in which case libnss-winbind at least would be necessary). It would be
similar to allow users to login on Kerberos servers (KDC), or LDAP
servers.
Therefore, this bug is to request removal of these Recommends from the
bin:samba-ad-dc package.
In terms of impact, this of course needs a release notes entry.
Regarding functionality of the AD/DC installation, the autopkgtests from
src:samba already exercise AD/DC without these two packages, because
Recommends are not installed by default for autopkgtest dependencies.
+ Here is link direct to the test log part where the test dependencies are
+ being installed, and we can see that samba-dc-dc is being installed, but
+ not lib{pam,nss}-winbind[4].
+ The DEP8 specification[5] also mentions that the special name
+ @recommends@ should be used if we want to have the Recommends packages
+ installed automatically.
1.
https://ubuntu.com/server/docs/how-to/samba/provision-samba-ad-controller/#installation
2. https://git.launchpad.net/ubuntu/+source/samba/tree/debian/control#n207
(canonical VPN required for now)
3.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_(Optional)
+ 4.
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/amd64/s/samba/20260317_230407_19312@/log.gz#:~:text=state%20information...%0A2237s-,Solving,-dependencies...%0A2237s%20The
+ 5.
https://salsa.debian.org/ci-team/autopkgtest/raw/master/doc/README.package-tests.rst#:~:text=via%0A%20%20%20%20build%20dependencies.%0A%0A%20%20%20%20%60%60%40-,recommends,-%40%60%60%20stands%20for%20all
** Description changed:
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130068
If you apt install samba-ad-dc with the intent of provisioning a samba
Active Directory Controller, like the ubuntu documentation says[1] for
example, you will also get libpam-winbind and libnss-winbind, as these
are Recommends[2]:
Package: samba-ad-dc
...
Recommends: libnss-winbind, libpam-winbind,
These packages provide the glue to authenticate (pam) and obtain user
information (nss) of Active Directory users and groups. That is unlikely
to be wanted for an Active Directory server: it's unlikely that such a
- server would allow regular users to login.
+ server would allow regular users to login. Such a system is very
+ critical, sensitive, and should not just allow all of the users it is
+ managing in its databases to login.
It's also not recommended that an AD server be used as a file server[3]
(in which case libnss-winbind at least would be necessary). It would be
similar to allow users to login on Kerberos servers (KDC), or LDAP
servers.
Therefore, this bug is to request removal of these Recommends from the
bin:samba-ad-dc package.
In terms of impact, this of course needs a release notes entry.
Regarding functionality of the AD/DC installation, the autopkgtests from
src:samba already exercise AD/DC without these two packages, because
Recommends are not installed by default for autopkgtest dependencies.
Here is link direct to the test log part where the test dependencies are
being installed, and we can see that samba-dc-dc is being installed, but
not lib{pam,nss}-winbind[4].
The DEP8 specification[5] also mentions that the special name
@recommends@ should be used if we want to have the Recommends packages
installed automatically.
1.
https://ubuntu.com/server/docs/how-to/samba/provision-samba-ad-controller/#installation
2. https://git.launchpad.net/ubuntu/+source/samba/tree/debian/control#n207
(canonical VPN required for now)
3.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_(Optional)
4.
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/amd64/s/samba/20260317_230407_19312@/log.gz#:~:text=state%20information...%0A2237s-,Solving,-dependencies...%0A2237s%20The
5.
https://salsa.debian.org/ci-team/autopkgtest/raw/master/doc/README.package-tests.rst#:~:text=via%0A%20%20%20%20build%20dependencies.%0A%0A%20%20%20%20%60%60%40-,recommends,-%40%60%60%20stands%20for%20all
** Description changed:
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130068
If you apt install samba-ad-dc with the intent of provisioning a samba
Active Directory Controller, like the ubuntu documentation says[1] for
example, you will also get libpam-winbind and libnss-winbind, as these
are Recommends[2]:
Package: samba-ad-dc
...
Recommends: libnss-winbind, libpam-winbind,
These packages provide the glue to authenticate (pam) and obtain user
information (nss) of Active Directory users and groups. That is unlikely
to be wanted for an Active Directory server: it's unlikely that such a
server would allow regular users to login. Such a system is very
critical, sensitive, and should not just allow all of the users it is
managing in its databases to login.
It's also not recommended that an AD server be used as a file server[3]
(in which case libnss-winbind at least would be necessary). It would be
similar to allow users to login on Kerberos servers (KDC), or LDAP
servers.
Therefore, this bug is to request removal of these Recommends from the
bin:samba-ad-dc package.
In terms of impact, this of course needs a release notes entry.
Regarding functionality of the AD/DC installation, the autopkgtests from
src:samba already exercise AD/DC without these two packages, because
- Recommends are not installed by default for autopkgtest dependencies.
+ Recommends are not installed by default for autopkgtest dependencies,
+ and d/t/control does not mention lib{pam,nss}-winbind[6]:
+
+ Tests: samba-ad-dc-provisioning-internal-dns
+ Depends: samba-ad-dc, samba-ad-provision, smbclient, krb5-user,
bind9-dnsutils, lxd | snapd, lsb-release, dctrl-tools, dpkg-dev
+ Restrictions: needs-root, isolation-machine, allow-stderr, breaks-testbed
+ Architecture: !i386
+
Here is link direct to the test log part where the test dependencies are
being installed, and we can see that samba-dc-dc is being installed, but
not lib{pam,nss}-winbind[4].
The DEP8 specification[5] also mentions that the special name
@recommends@ should be used if we want to have the Recommends packages
installed automatically.
1.
https://ubuntu.com/server/docs/how-to/samba/provision-samba-ad-controller/#installation
2. https://git.launchpad.net/ubuntu/+source/samba/tree/debian/control#n207
(canonical VPN required for now)
3.
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_(Optional)
4.
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/amd64/s/samba/20260317_230407_19312@/log.gz#:~:text=state%20information...%0A2237s-,Solving,-dependencies...%0A2237s%20The
5.
https://salsa.debian.org/ci-team/autopkgtest/raw/master/doc/README.package-tests.rst#:~:text=via%0A%20%20%20%20build%20dependencies.%0A%0A%20%20%20%20%60%60%40-,recommends,-%40%60%60%20stands%20for%20all
+ 6.
https://git.launchpad.net/ubuntu/+source/samba/tree/debian/tests/control#n44
(canonical VPN required for now)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2144939
Title:
[FFe] samba-ad-dc should not recommend libpam-winbind/libnss-winbind
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2144939/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
