[Bug 1644428] Re: Unable to log in with AD account after update

Andreas Hasenack andreas at canonical.com
Wed Jun 21 13:26:12 UTC 2017 

** Description changed:

- After performing a system update one of my users was no longer able to
- authenticate against Active Directory. This is on a Ubuntu 14.04 on
- amd64.
+ [Impact]
  
- The error in /var/log/auth.log was:
+ The pam_winbind.so module is unusable in zesty. It won't load because of
+ missing symbols:
  
- Nov 24 15:08:06 haggerstone lightdm: PAM unable to
+ Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to
  dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared
  object file: No such file or directory
  
- I tried rebooting thinking something broke during the update, but I got
- the same error.
+ This is due to the (re)introduction of patch fix-1584485.patch which
+ changes the way this module is built, trying to statically link some
+ libraries. That linking was incorrectly done.
  
- I checked against my PC and saw that there were updates pending for the
- samba packages. I used the version numbers on my PC to perform a
- downgrade to 2:4.3.11+dfsg-0ubuntu0.14.04.1 and the problem went away.
+ The patch was subsequently removed, but later added back again by
+ mistake during a huge sync.
  
- The affected version is 2:4.3.11+dfsg-0ubuntu0.14.04.2
+ A new version of the patch exists, but upstream (Samba) isn't very fond
+ of such a change and asked to submit it for discussion to the samba-
+ technical mailing list.
+ 
+ That was done, but since this could take some time, we decided it's best
+ to revert the patch one more time.
+ 
+ 
+ [Test Case]
+ 
+ In a zesty machine/container:
+  * sudo apt install libpam-winbind winbind samba
+  * tail -f /var/log/auth.log
+  * perform a login on this machine. Via ssh, for example
+  * the broken version will log this:
+ Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
+  * The fixed version will load winbind just fine, but won't log anything (unless you fully setup winbind). It's easier to add "debug" to the pam_winbind.so lines in /etc/pam.d/common-* files and repeat the login, then you get to see it being loaded in the logs
+ 
+ 
+ [Regression Potential] 
+ 
+ This reversal has been done before and worked. Right now, the biggest
+ regression potential is to add the broken patch back again.
+ 
+ 
+ [Other Info]
+ Sorry for keeping both bugs open (#1644428 and #1677329), but the history on this issue is a bit complicated with multiple SRUs and regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1644428

Title:
  Unable to log in with AD account after update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1644428/+subscriptions

More information about the Ubuntu-server-bugs mailing list