[Bug 1677329] Re: libpam-winbind: unable to dlopen

Brian Murray brian at ubuntu.com
Fri Aug 4 18:11:59 UTC 2017 

Hello Mario, or anyone else affected,

Accepted samba into zesty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/samba/2:4.5.8+dfsg-
0ubuntu0.17.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-zesty to verification-done-zesty. If it does not fix
the bug for you, please add a comment stating that, and change the tag
to verification-failed-zesty. In either case, details of your testing
will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: samba (Ubuntu Zesty)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-zesty

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1677329

Title:
  libpam-winbind: unable to dlopen

Status in samba package in Ubuntu:
  Fix Released
Status in samba source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

  The pam_winbind.so module is unusable in zesty. It won't load because
  of missing symbols:

  Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to
  dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open
  shared object file: No such file or directory

  This is due to the (re)introduction of patch fix-1584485.patch which
  changes the way this module is built, trying to statically link some
  libraries. That linking was incorrectly done.

  The patch was subsequently removed, but later added back again by
  mistake during a sync.

  A new version of the patch exists
  (https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/323767),
  but upstream (Samba and Debian) isn't very fond of such a change and
  asked me to submit it for discussion to the samba-technical mailing
  list (https://lists.samba.org/archive/samba-
  technical/2017-June/121139.html).

  That was done, but since this could take some time, we decided it's
  best to revert the patch again.

  [Test Case]

  In a zesty machine/container:
   * sudo apt install libpam-winbind winbind samba
   * tail -f /var/log/auth.log
   * perform a login on this machine. Via ssh, for example
   * the broken version will log this:
  Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
   * The fixed version will load pam_winbind.so just fine, but won't log anything (unless you fully setup winbind). It's easier to add "debug" to the pam_winbind.so lines in /etc/pam.d/common-* files and repeat the login, then you get to see it being loaded in the logs:
  Jun 21 17:48:52 zesty-pamwinbind-1677329 sshd[18052]: pam_winbind(sshd:session): [pamh: 0x56460f355740] ENTER: pam_sm_open_session (flags: 0x0000)
  Jun 21 17:48:52 zesty-pamwinbind-1677329 sshd[18052]: pam_winbind(sshd:session): [pamh: 0x56460f355740] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)

  
  [Regression Potential]

  This reversal has been done before and worked. Right now, the biggest
  regression potential is to add the broken patch back again.

  Reversing this patch will also reintroduce bug #1584485, but I think
  the configuration that leads to that bug is asking for trouble and I
  stated as such in a comment
  (https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/43).
  "winbind" should be listed after "files" or "compat", not before.

  That being said, it is my opinion that having a working pam_winbind
  module benefits more users than the amount of users that could be
  affected by the particular configuration that leads to #1584485.

  [Other Info]

  Sorry for keeping both bugs open (#1644428 and #1677329), but the
  history on this issue is a bit complicated with multiple SRUs and
  regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/+subscriptions

More information about the foundations-bugs mailing list