[Bug 1644428] Re: Unable to log in with AD account after update

Andreas Hasenack andreas at canonical.com
Wed Jun 21 13:26:12 UTC 2017 

** Description changed:

- After performing a system update one of my users was no longer able to
- authenticate against Active Directory. This is on a Ubuntu 14.04 on
- amd64.
+ [Impact]
  
- The error in /var/log/auth.log was:
+ The pam_winbind.so module is unusable in zesty. It won't load because of
+ missing symbols:
  
- Nov 24 15:08:06 haggerstone lightdm: PAM unable to
+ Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to
  dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared
  object file: No such file or directory
  
- I tried rebooting thinking something broke during the update, but I got
- the same error.
+ This is due to the (re)introduction of patch fix-1584485.patch which
+ changes the way this module is built, trying to statically link some
+ libraries. That linking was incorrectly done.
  
- I checked against my PC and saw that there were updates pending for the
- samba packages. I used the version numbers on my PC to perform a
- downgrade to 2:4.3.11+dfsg-0ubuntu0.14.04.1 and the problem went away.
+ The patch was subsequently removed, but later added back again by
+ mistake during a huge sync.
  
- The affected version is 2:4.3.11+dfsg-0ubuntu0.14.04.2
+ A new version of the patch exists, but upstream (Samba) isn't very fond
+ of such a change and asked to submit it for discussion to the samba-
+ technical mailing list.
+ 
+ That was done, but since this could take some time, we decided it's best
+ to revert the patch one more time.
+ 
+ 
+ [Test Case]
+ 
+ In a zesty machine/container:
+  * sudo apt install libpam-winbind winbind samba
+  * tail -f /var/log/auth.log
+  * perform a login on this machine. Via ssh, for example
+  * the broken version will log this:
+ Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
+  * The fixed version will load winbind just fine, but won't log anything (unless you fully setup winbind). It's easier to add "debug" to the pam_winbind.so lines in /etc/pam.d/common-* files and repeat the login, then you get to see it being loaded in the logs
+ 
+ 
+ [Regression Potential] 
+ 
+ This reversal has been done before and worked. Right now, the biggest
+ regression potential is to add the broken patch back again.
+ 
+ 
+ [Other Info]
+ Sorry for keeping both bugs open (#1644428 and #1677329), but the history on this issue is a bit complicated with multiple SRUs and regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1644428

Title:
  Unable to log in with AD account after update

Status in samba package in Ubuntu:
  Fix Released
Status in samba source package in Trusty:
  Fix Released
Status in samba source package in Zesty:
  In Progress

Bug description:
  [Impact]

  The pam_winbind.so module is unusable in zesty. It won't load because
  of missing symbols:

  Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to
  dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open
  shared object file: No such file or directory

  This is due to the (re)introduction of patch fix-1584485.patch which
  changes the way this module is built, trying to statically link some
  libraries. That linking was incorrectly done.

  The patch was subsequently removed, but later added back again by
  mistake during a huge sync.

  A new version of the patch exists, but upstream (Samba) isn't very
  fond of such a change and asked to submit it for discussion to the
  samba-technical mailing list.

  That was done, but since this could take some time, we decided it's
  best to revert the patch one more time.

  
  [Test Case]

  In a zesty machine/container:
   * sudo apt install libpam-winbind winbind samba
   * tail -f /var/log/auth.log
   * perform a login on this machine. Via ssh, for example
   * the broken version will log this:
  Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
   * The fixed version will load winbind just fine, but won't log anything (unless you fully setup winbind). It's easier to add "debug" to the pam_winbind.so lines in /etc/pam.d/common-* files and repeat the login, then you get to see it being loaded in the logs

  
  [Regression Potential] 

  This reversal has been done before and worked. Right now, the biggest
  regression potential is to add the broken patch back again.

  
  [Other Info]
  Sorry for keeping both bugs open (#1644428 and #1677329), but the history on this issue is a bit complicated with multiple SRUs and regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1644428/+subscriptions

More information about the foundations-bugs mailing list