[Bug 1584485] Re: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
Rafael David Tinoco
rafael.tinoco at canonical.com
Wed May 25 02:27:32 UTC 2016
** Patch added: "xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff"
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
Upgrading samba to latest security fixes together with winbind in
nsswitch.conf can harm entire OS
Status in samba package in Ubuntu:
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
* Comment #1 (to upgrade samba)
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
* Original Bug Description:
It was brought to my attention that, because of latest security fixes
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
group: winbind compat
(winbind is usually used after compat, in this case it was used
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
$ sudo apt-get update
Leading into an unusable system in the following state:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
with "pam-auth-update") before ANY attempt of upgrading samba to
To manage notifications about this bug go to:
More information about the foundations-bugs