[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Rafael David Tinoco
rafael.tinoco at canonical.com
Sun May 22 15:42:15 UTC 2016
## state
inaddy at winbindsegfault:~$ dpkg -l | grep -i samba
iU libnss-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 amd64 Samba nameservice integration plugins
ii libwbclient0:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba winbind client library
ii python-samba 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Python bindings for Samba
ii samba 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.1.6+dfsg-1ubuntu2.14.04.13 all common files used by both the Samba server and client
ii samba-common-bin 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba common files used by both the server and the client
iU samba-dsdb-modules 2:4.3.9+dfsg-0ubuntu0.14.04.1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba core libraries
ii samba-vfs-modules 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba Virtual FileSystem plugins
** Description changed:
It was brought to my attention that, because of latest security fixes
for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
- """
-
- """
+ https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
+ https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
+
## state
-
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
"pam-auth-update") before ANY attempt of upgrading samba to latest
version.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485
Title:
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
Status in samba package in Ubuntu:
Confirmed
Bug description:
It was brought to my attention that, because of latest security fixes
for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used
before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
with "pam-auth-update") before ANY attempt of upgrading samba to
latest version.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions
More information about the foundations-bugs
mailing list