[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Rafael David Tinoco
rafael.tinoco at canonical.com
Wed May 25 02:26:15 UTC 2016
According to document:
I added constrains on letting upgrade to happen for:
When winbind is enabled in either /etc/nsswitch.conf or in /etc/pam.d/*
So, whenever trying to upgrade samba you will get something like:
Do you want to continue? [Y/n] y
(Reading database ... 115473 files and directories currently installed.)
Preparing to unpack .../libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.2~lp1584485~4_amd64.deb ...
You have winbind configured in either NSS (/etc/nsswitch.conf)
or in PAM (/etc/pam.d/*). Before proceeding with the
installation, or upgrade, make sure to disable winbind!
dpkg: error processing archive /var/cache/apt/archives/libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.2~lp1584485~4_amd64.deb (--unpack):
subprocess new pre-installation script returned error exit status 1
dpkg: error while cleaning up:
subprocess new post-removal script returned error exit status 1
That will save you from crashing your system because of NSS being
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
Status in samba package in Ubuntu:
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
* Comment #1 (to upgrade samba)
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
* Original Bug Description:
It was brought to my attention that, because of latest security fixes
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
group: winbind compat
(winbind is usually used after compat, in this case it was used
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
$ sudo apt-get update
Leading into an unusable system in the following state:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
with "pam-auth-update") before ANY attempt of upgrading samba to
To manage notifications about this bug go to:
More information about the foundations-bugs