[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Robert Euhus
1584485 at bugs.launchpad.net
Thu Nov 24 16:24:56 UTC 2016
I have not had the time yet to check the libpam-winbind module in
xenial. But since the patch looks identical from the first look, You
might want to delay it's migration from -proposed until someone has
checked that the module is still working.
I'll try to find time for this tomorrow, but it's not my highest
priority, since we have migrated to sssd for xenial.
Regards,
Robert Euhus
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
Status in samba package in Ubuntu:
Fix Released
Status in samba source package in Trusty:
In Progress
Status in samba source package in Xenial:
Fix Committed
Status in samba source package in Yakkety:
Fix Committed
Status in samba package in Debian:
New
Bug description:
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
7.1) sudo restart smbd
7.2) sudo restart nmbd
7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
While installing, you will see things similar to this :
> Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
> dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
> -unpack):
> subprocess dpkg-deb --control returned error exit status 2
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes
for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used
before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
with "pam-auth-update") before ANY attempt of upgrading samba to
latest version.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions
More information about the foundations-bugs
mailing list