Likewise uninstall, Lock login to system

Bug #230466 reported by Froza on 2008-05-14
36
This bug affects 1 person
Affects Status Importance Assigned to Milestone
likewise-open (Ubuntu)
High
Thierry Carrez
Hardy
Undecided
Unassigned

Bug Description

Binary package hint: likewise-open

I install likewise-open to try domain auth, (the system goes very bad) and when uninstall, (apt-get remove likewise-open; apt-get autoremove). I reboot, and i cant login. It says Module unknown or something like this... i search on the web and i will try to fix it... but it this a very bad mistake... more if likewise if published like the solution for bind the linux to an Active Directory.

Regards

John Anderson (john-e-anderson) wrote :

The problem seems to be installing likewise changes /etc/nsswitch.conf and pam, but doesn't revert them if you uninstall, leaving the system in a state where you can't log in.

I'd say this is a pretty big problem

Changed in likewise-open:
status: New → Confirmed
Froza (froza) wrote :

Not only those files... more... i remember like 10 or more... and one in pam.
the likewise backup all the files with a lwidentity.orig or something like that

i solve the problem, rescue mode and running

for a in $(find / -name *lwindentity*); do
ORIG=$(echo $a | awk -F".lwindentity" '{print $1}')
mv $a $ORIG
done

**** Dont remeber very well the -F of awk, i dont remeber the exacts format of the files ******

Thierry Carrez (ttx) wrote :

When you join a domain, likewise-open makes changes to the following files (making in-place backups with an .lwidentity.orig suffix):
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/nsswitch.conf
/etc/hosts
/etc/krb5.conf
/etc/security/pam_lwidentity.conf
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session

The disruptive changes (the /etc/pam.d/ and nsswitch.conf files) are reverted when you leave a domain (using "domainjoin leave" command or the Leave option of the GUI). You can then uninstall the package and you can still login to the system.

If you uninstall likewise-open while those system files are still configured to use it (i.e. you're still in the domain), it's like if you uninstalled pam : the system will indeed be mostly unusable. The workaround is the one described by Froza.

Uninstalling should not be possible with a domain still joined ?

On Wed, Jul 30, 2008 at 10:44:16AM -0000, Thierry Carrez wrote:
> Uninstalling should not be possible with a domain still joined ?

Uninstalling should start with removing the machine from the domain
(that should be done in the prerm script).

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Thierry Carrez (ttx) on 2008-07-31
Changed in likewise-open:
assignee: nobody → tcarrez
importance: Undecided → High
status: Confirmed → Triaged
Thierry Carrez (ttx) wrote :

A new version fixing this is in testing, stay tuned

Changed in likewise-open:
status: Triaged → In Progress
Thierry Carrez (ttx) wrote :

This bug was fixed in the package likewise-open - 4.1.0.2956-0ubuntu1

---------------
likewise-open (4.1.0.2956-0ubuntu1) intrepid; urgency=low

  * missing-likewise-logo.diff: removed
  * fixed copyright notice
  * updated Standards-Version to 3.8.0
  * removed path from command in prerm
  * removed stop in S runlevel

 -- Rick Clark <email address hidden> Wed, 27 Aug 2008 08:56:20 -0500

likewise-open (4.1.0.2956-0ubuntu1~ppa2) intrepid; urgency=low

  * Remove libwbclient.so.0, use libwbclient0 package instead (LP: #254434)
  * Remove library links under /usr/lib/likewise-open

 -- Thierry Carrez <email address hidden> Tue, 05 Aug 2008 15:34:18 +0200

likewise-open (4.1.0.2956-0ubuntu1~ppa1) intrepid; urgency=low

  * New upstream version. (LP: #244968)
  * Removed fix_window_close patch (was merged upstream)
  * Fixed dh_perl call so that it looks into /usr/lib/likewise-open
  * Removed perl dep from likewise-open-gui since it is now pulled from
    likewise-open perl-Depends
  * Removed superfluous /etc/defaults empty directory creation
  * More descriptive desktop entries (LP: #253032)
  * Changed desktop entry logo to domainjoin-logo.png for consistency
  * likewise-open.prerm: leave domain before uninstall (LP: #230466)
  * missing-likewise-logo.diff: fix missing logo regression in domainjoin-gui
  * no-template-modifications.diff: disable template homedir|shell
    modifications and respect whatever was put in lwiauthd.conf
  * Changed Maintainer to reflect main inclusion

 -- Thierry Carrez <email address hidden> Fri, 01 Aug 2008 15:55:43 +0200

Changed in likewise-open:
status: In Progress → Fix Released
Thierry Carrez (ttx) wrote :

SRU report

Bug impact:
Removing the likewise-open package while a domain is joined will result in a system on which you cannot login anymore.

Fix in the development branch:
This was addressed in Intrepid for version 4.1.0.2956-0ubuntu1, using the same patch that will be applied here.

Minimal patch:
--- likewise-open-4.0.5.orig/debian/likewise-open.prerm
+++ likewise-open-4.0.5/debian/likewise-open.prerm
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+
+#DEBHELPER#
+
+case "$1" in
+ remove)
+ if [ -x /usr/bin/domainjoin-cli ]; then
+ domainjoin-cli leave || true
+ fi
+ ;;
+esac

TEST CASE:
NB: You'll need an AD setup to test that (a domain needs to be successfully joined).
$ sudo apt-get install likewise-open
$ sudo domainjoin-cli join your-domain your-Administrator your-password
SUCCESS
$ sudo apt-get remove likewise-open
Then try to log in.
Without the fix: SSH or local login will fail with "PAM unable to dlopen(/lib/security/pam_lwidentity.so)" error in auth.log
With the fix: SSH or local login will continue to work after removal of likewise-open (domain is properly left at prerm).

Regression potential:
The patch only affects prerm : it tries to leave the domain but will gracefully accept failure to do so. The only regression I can think of is that before this fix you could reinstall likewise-open after having removed it and still enjoy your domain membership... that is, if you don't log out in between.

Thierry Carrez (ttx) wrote :

Proposed debdiff for the SRU

This debdiff also contains fixes for bug 222224 and bug 256394. If one of those were to be refused by ubuntu-sru, I'd redo the debdiff to only fix accepted bugs.

likewise-open (4.0.5-0ubuntu3.1) hardy-proposed; urgency=low

  [ Etienne Goyer ]
  * Fixed ugly typo in "Domain Join Authentication" dialog
    (LP: #253394)

  [ Thierry Carrez ]
  * debian/likewise-open.prerm: Leave the domain before uninstalling,
    otherwise you wouldn't be able to login anymore (LP: #230466)
  * debian/patches/graceful_dbus_restart.diff: fix Gnome session blow-up when
    using GUI to join domain (LP: #222224)

Martin Pitt (pitti) wrote :

Ack'ed for SRU. Waiting for resolving the question in bug 253394, or reverting this bit.

Changed in likewise-open:
status: New → In Progress
Thierry Carrez (ttx) wrote :

Question solved, calling for sponsoring now.

Changed in likewise-open:
status: In Progress → Confirmed
Martin Pitt (pitti) wrote :

Uploaded.

Changed in likewise-open:
status: Confirmed → In Progress
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Accepted into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Adam Sommer (asommer) wrote :

I ran through the test case in comment 7:

  https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/230466/comments/7

And it worked as advertised. Using likewise-open-4.0.5-0ubuntu3 package version I was unable to login to the system after joining a domain and removing the package. Using version likewise-open-4.0.5-0ubuntu3.1 from hardy-proposed, I was able to login after joining a domain and removing the package.

If you need any additional information please let me know.

Thanks

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package likewise-open - 4.0.5-0ubuntu3.1

---------------
likewise-open (4.0.5-0ubuntu3.1) hardy-proposed; urgency=low

  [ Etienne Goyer ]
  * Fixed ugly typo in "Domain Join Authentication" dialog
    (LP: #253394)

  [ Thierry Carrez ]
  * debian/likewise-open.prerm: Leave the domain before uninstalling,
    otherwise you wouldn't be able to login anymore (LP: #230466)
  * debian/patches/graceful_dbus_restart.diff: fix Gnome session blow-up when
    using GUI to join domain (LP: #222224)

 -- Thierry Carrez <email address hidden> Tue, 28 Oct 2008 16:07:40 +0000

Changed in likewise-open:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers