← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

 

** Changed in: samba (Debian)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

Status in samba package in Ubuntu:
  Incomplete
Status in samba source package in Trusty:
  Fix Released
Status in samba source package in Xenial:
  Fix Committed
Status in samba source package in Yakkety:
  Fix Committed
Status in samba package in Debian:
  Fix Released

Bug description:
  [Impact]

  * Upgrading samba when using winbind as NSS service can break OS.
  * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
  * Huge impact due to big version different between winbind and libraries.

  [Test Case 1]

  Verify that the regression reported in bug 1644428 has not recurred.

  [Test Case 2]

  1) Start an ubuntu Trusty container
  2) cp /etc/apt/sources.list /etc/apt/sources.list.back
  3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
  4) sudo apt-get update
  5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
  6) Set /etc/nsswitch.conf to : passwd: winbind compat
  7) Restart the services
     7.1) sudo restart smbd
     7.2) sudo restart nmbd
     7.3) sudo restart winbind
  8) cp /etc/apt/sources.list.back /etc/apt/sources.list
  9) sudo apt-get update
  7) sudo apt-get install samba winbind libnss-winbind libpam-winbind

  While installing, you will see things similar to this :

  > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
  > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
  > -unpack):
  >  subprocess dpkg-deb --control returned error exit status 2
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped

  [Regression Potential]

  * "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
  * uninstalling packages and reinstalling would bypass this change

  [Other Info]

  * Original Bug Description:

  It was brought to my attention that, because of latest security fixes
  for samba:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium

  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).

  ----

  How to reproduce easily:

  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat

  (winbind is usually used after compat, in this case it was used
  before)

  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
  a:

  $ sudo apt-get update

  and FINALLY:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1

  Leading into an unusable system in the following state:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2

  ## state

  Workaround:

  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
  with "pam-auth-update") before ANY attempt of upgrading samba to
  latest version.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions