[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

Robert Euhus 1584485 at bugs.launchpad.net
Thu Nov 24 16:24:56 UTC 2016


I have not had the time yet to check the libpam-winbind module in
xenial. But since the patch looks identical from the first look, You
might want to delay it's migration from -proposed until someone has
checked that the module is still working.

I'll try to find time for this tomorrow, but it's not my highest
priority, since we have migrated to sssd for xenial.

Regards,
Robert Euhus

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

Status in samba package in Ubuntu:
  Fix Released
Status in samba source package in Trusty:
  In Progress
Status in samba source package in Xenial:
  Fix Committed
Status in samba source package in Yakkety:
  Fix Committed
Status in samba package in Debian:
  New

Bug description:
  [Impact]

  * Upgrading samba when using winbind as NSS service can break OS.
  * Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
  * Huge impact due to big version different between winbind and libraries.

  [Test Case]

  1) Start an ubuntu Trusty container
  2) cp /etc/apt/sources.list /etc/apt/sources.list.back
  3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
  4) sudo apt-get update
  5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
  6) Set /etc/nsswitch.conf to : passwd: winbind compat
  7) Restart the services
     7.1) sudo restart smbd
     7.2) sudo restart nmbd
     7.3) sudo restart winbind
  8) cp /etc/apt/sources.list.back /etc/apt/sources.list
  9) sudo apt-get update
  7) sudo apt-get install samba winbind libnss-winbind libpam-winbind

  While installing, you will see things similar to this :

  > Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
  > dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
  > -unpack):
  >  subprocess dpkg-deb --control returned error exit status 2
  > dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped

  [Regression Potential]

  * "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
  * uninstalling packages and reinstalling would bypass this change

  [Other Info]

  * Original Bug Description:

  It was brought to my attention that, because of latest security fixes
  for samba:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium

  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).

  ----

  How to reproduce easily:

  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat

  (winbind is usually used after compat, in this case it was used
  before)

  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
  a:

  $ sudo apt-get update

  and FINALLY:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1

  Leading into an unusable system in the following state:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2

  ## state

  Workaround:

  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
  with "pam-auth-update") before ANY attempt of upgrading samba to
  latest version.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions



More information about the foundations-bugs mailing list