Likewise uninstall, Lock login to system

The problem seems to be installing likewise changes /etc/nsswitch.conf and pam, but doesn't revert them if you uninstall, leaving the system in a state where you can't log in.

I'd say this is a pretty big problem

Not only those files... more... i remember like 10 or more... and one in pam.
the likewise backup all the files with a lwidentity.orig or something like that

i solve the problem, rescue mode and running

for a in $(find / -name *lwindentity*); do
ORIG=$(echo $a | awk -F".lwindentity" '{print $1}')
mv $a $ORIG
done

**** Dont remeber very well the -F of awk, i dont remeber the exacts format of the files ******

When you join a domain, likewise-open makes changes to the following files (making in-place backups with an .lwidentity.orig suffix):
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/nsswitch.conf
/etc/hosts
/etc/krb5.conf
/etc/security/pam_lwidentity.conf
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session

The disruptive changes (the /etc/pam.d/ and nsswitch.conf files) are reverted when you leave a domain (using "domainjoin leave" command or the Leave option of the GUI). You can then uninstall the package and you can still login to the system.

If you uninstall likewise-open while those system files are still configured to use it (i.e. you're still in the domain), it's like if you uninstalled pam : the system will indeed be mostly unusable. The workaround is the one described by Froza.

Uninstalling should not be possible with a domain still joined ?

On Wed, Jul 30, 2008 at 10:44:16AM -0000, Thierry Carrez wrote:
> Uninstalling should not be possible with a domain still joined ?

Uninstalling should start with removing the machine from the domain
(that should be done in the prerm script).

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

A new version fixing this is in testing, stay tuned

This bug was fixed in the package likewise-open - 4.1.0.2956-0ubuntu1

---------------
likewise-open (4.1.0.2956-0ubuntu1) intrepid; urgency=low

  * missing-likewise-logo.diff: removed
  * fixed copyright notice
  * updated Standards-Version to 3.8.0
  * removed path from command in prerm
  * removed stop in S runlevel

 -- Rick Clark <email address hidden> Wed, 27 Aug 2008 08:56:20 -0500

likewise-open (4.1.0.2956-0ubuntu1~ppa2) intrepid; urgency=low

  * Remove libwbclient.so.0, use libwbclient0 package instead (LP: #254434)
  * Remove library links under /usr/lib/likewise-open

 -- Thierry Carrez <email address hidden> Tue, 05 Aug 2008 15:34:18 +0200

likewise-open (4.1.0.2956-0ubuntu1~ppa1) intrepid; urgency=low

  * New upstream version. (LP: #244968)
  * Removed fix_window_close patch (was merged upstream)
  * Fixed dh_perl call so that it looks into /usr/lib/likewise-open
  * Removed perl dep from likewise-open-gui since it is now pulled from
    likewise-open perl-Depends
  * Removed superfluous /etc/defaults empty directory creation
  * More descriptive desktop entries (LP: #253032)
  * Changed desktop entry logo to domainjoin-logo.png for consistency
  * likewise-open.prerm: leave domain before uninstall (LP: #230466)
  * missing-likewise-logo.diff: fix missing logo regression in domainjoin-gui
  * no-template-modifications.diff: disable template homedir|shell
    modifications and respect whatever was put in lwiauthd.conf
  * Changed Maintainer to reflect main inclusion

 -- Thierry Carrez <email address hidden> Fri, 01 Aug 2008 15:55:43 +0200

SRU report

Bug impact:
Removing the likewise-open package while a domain is joined will result in a system on which you cannot login anymore.

Fix in the development branch:
This was addressed in Intrepid for version 4.1.0.2956-0ubuntu1, using the same patch that will be applied here.

Minimal patch:
--- likewise-open-4.0.5.orig/debian/likewise-open.prerm
+++ likewise-open-4.0.5/debian/likewise-open.prerm
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+
+#DEBHELPER#
+
+case "$1" in
+ remove)
+ if [ -x /usr/bin/domainjoin-cli ]; then
+ domainjoin-cli leave || true
+ fi
+ ;;
+esac

TEST CASE:
NB: You'll need an AD setup to test that (a domain needs to be successfully joined).
$ sudo apt-get install likewise-open
$ sudo domainjoin-cli join your-domain your-Administrator your-password
SUCCESS
$ sudo apt-get remove likewise-open
Then try to log in.
Without the fix: SSH or local login will fail with "PAM unable to dlopen(/lib/security/pam_lwidentity.so)" error in auth.log
With the fix: SSH or local login will continue to work after removal of likewise-open (domain is properly left at prerm).

Regression potential:
The patch only affects prerm : it tries to leave the domain but will gracefully accept failure to do so. The only regression I can think of is that before this fix you could reinstall likewise-open after having removed it and still enjoy your domain membership... that is, if you don't log out in between.

Proposed debdiff for the SRU

This debdiff also contains fixes for bug 222224 and bug 256394. If one of those were to be refused by ubuntu-sru, I'd redo the debdiff to only fix accepted bugs.

likewise-open (4.0.5-0ubuntu3.1) hardy-proposed; urgency=low

  [ Etienne Goyer ]
  * Fixed ugly typo in "Domain Join Authentication" dialog
    (LP: #253394)

  [ Thierry Carrez ]
  * debian/likewise-open.prerm: Leave the domain before uninstalling,
    otherwise you wouldn't be able to login anymore (LP: #230466)
  * debian/patches/graceful_dbus_restart.diff: fix Gnome session blow-up when
    using GUI to join domain (LP: #222224)

Ack'ed for SRU. Waiting for resolving the question in bug 253394, or reverting this bit.

Question solved, calling for sponsoring now.

Uploaded.

Accepted into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Verified fixed on my side... here are links to the TEST CASEs:
bug 230466 : https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/230466/comments/7
bug 222224 : https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/222224/comments/5
bug 253394 : https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/253394/comments/6

I ran through the test case in comment 7:

  https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/230466/comments/7

And it worked as advertised. Using likewise-open-4.0.5-0ubuntu3 package version I was unable to login to the system after joining a domain and removing the package. Using version likewise-open-4.0.5-0ubuntu3.1 from hardy-proposed, I was able to login after joining a domain and removing the package.

If you need any additional information please let me know.

Thanks

This bug was fixed in the package likewise-open - 4.0.5-0ubuntu3.1

---------------
likewise-open (4.0.5-0ubuntu3.1) hardy-proposed; urgency=low

  [ Etienne Goyer ]
  * Fixed ugly typo in "Domain Join Authentication" dialog
    (LP: #253394)

  [ Thierry Carrez ]
  * debian/likewise-open.prerm: Leave the domain before uninstalling,
    otherwise you wouldn't be able to login anymore (LP: #230466)
  * debian/patches/graceful_dbus_restart.diff: fix Gnome session blow-up when
    using GUI to join domain (LP: #222224)

 -- Thierry Carrez <email address hidden> Tue, 28 Oct 2008 16:07:40 +0000