[Bug 1584485] [NEW] Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

Launchpad Bug Tracker 1584485 at bugs.launchpad.net
Wed May 25 02:34:56 UTC 2016 

You have been subscribed to a public bug by Rafael David Tinoco (inaddy):

[Impact]

* Upgrading samba when using winbind as NSS can lead to loosing OS.
* Probable not noticed if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.

[Test Case]

* Comment #1 (to upgrade samba)

[Regression Potential]

* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change

[Other Info]

* Original Bug Description:

It was brought to my attention that, because of latest security fixes
for samba:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium

when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).

----

How to reproduce easily:

$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat

(winbind is usually used after compat, in this case it was used before)

to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:

$ sudo apt-get update

and FINALLY:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1

Leading into an unusable system in the following state:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2

## state

Workaround:

DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
"pam-auth-update") before ANY attempt of upgrading samba to latest
version.

** Affects: samba (Ubuntu)
     Importance: High
     Assignee: Rafael David Tinoco (inaddy)
         Status: Confirmed

-- 
Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS
https://bugs.launchpad.net/bugs/1584485
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list