Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

Bug #1584485 reported by Rafael David Tinoco on 2016-05-22
30
This bug affects 2 people
Affects Status Importance Assigned to Milestone
samba (Debian)
New
Unknown
samba (Ubuntu)
High
Jorge Niedbalski
Declined for Wily by Louis Bouchard
Trusty
High
Jorge Niedbalski
Xenial
High
Jorge Niedbalski
Yakkety
High
Jorge Niedbalski

Bug Description

[Impact]

* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.

[Test Case 1]

Verify that the regression reported in bug 1644428 has not recurred.

[Test Case 2]

1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
   7.1) sudo restart smbd
   7.2) sudo restart nmbd
   7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind

While installing, you will see things similar to this :

> Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
> dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
> -unpack):
> subprocess dpkg-deb --control returned error exit status 2
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped

[Regression Potential]

* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change

[Other Info]

* Original Bug Description:

It was brought to my attention that, because of latest security fixes for samba:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium

when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).

----

How to reproduce easily:

$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat

(winbind is usually used after compat, in this case it was used before)

to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:

$ sudo apt-get update

and FINALLY:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1

Leading into an unusable system in the following state:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2

## state

Workaround:

DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version.

CVE References

Rafael David Tinoco (inaddy) wrote :
Download full text (4.9 KiB)

$ sudo apt-get --only-upgrade install samba
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libhdb9-heimdal libkdc2-heimdal libntdb1 python-ntdb
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
  python-ldb python-samba python-tdb samba-common samba-common-bin
  samba-dsdb-modules samba-libs samba-vfs-modules winbind
Suggested packages:
  bind9 bind9utils ldb-tools smbldap-tools heimdal-clients
The following packages will be upgraded:
  libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
  python-ldb python-samba python-tdb samba samba-common samba-common-bin
  samba-dsdb-modules samba-libs samba-vfs-modules winbind
16 upgraded, 0 newly installed, 0 to remove and 219 not upgraded.
Need to get 8,877 kB of archives.
After this operation, 5,632 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-ldb amd64 1:1.1.24-0ubuntu0.14.04.1 [29.2 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-tdb amd64 1.3.8-0ubuntu0.14.04.1 [10.8 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtdb1 amd64 1.3.8-0ubuntu0.14.04.1 [38.3 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtevent0 amd64 0.9.28-0ubuntu0.14.04.1 [26.2 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-dsdb-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [219 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libnss-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [12.6 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libpam-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [28.2 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [411 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libwbclient0 amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [30.8 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [903 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common-bin amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [508 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common all 2:4.3.9+dfsg-0ubuntu0.14.04.1 [82.9 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [1,068 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-vfs-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [259 kB]
Get:15 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-libs amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [5,144 kB]
Get:16 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libldb1 amd64 1:1.1.24-0ubuntu0.14.04.1 [107 kB]
Fetched 8,877 kB in 14s (594 kB/s)
Preconfiguring packages ...
(Reading database ... 115393 files and directories currently installed.)
Preparing to unpack .../python-ldb_1%3a1.1.24-0ubuntu0.14.04....

Read more...

Changed in samba (Ubuntu):
status: New → Confirmed
assignee: nobody → Rafael David Tinoco (inaddy)
importance: Undecided → High
description: updated
Rafael David Tinoco (inaddy) wrote :

## state

inaddy@winbindsegfault:~$ dpkg -l | grep -i samba
iU libnss-winbind:amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 amd64 Samba nameservice integration plugins
ii libwbclient0:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba winbind client library
ii python-samba 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Python bindings for Samba
ii samba 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.1.6+dfsg-1ubuntu2.14.04.13 all common files used by both the Samba server and client
ii samba-common-bin 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba common files used by both the server and the client
iU samba-dsdb-modules 2:4.3.9+dfsg-0ubuntu0.14.04.1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba core libraries
ii samba-vfs-modules 2:4.1.6+dfsg-1ubuntu2.14.04.13 amd64 Samba Virtual FileSystem plugins

description: updated
Rafael David Tinoco (inaddy) wrote :
Download full text (4.4 KiB)

After upgrade process fails, all programs executing libc functions depending on NSS will fail:

----

inaddy@workstation:~/bugs/winbindsegfault/crashes$ ls -ltr
total 1024
-rw------- 1 inaddy inaddy 52309 May 21 20:06 winbind.0.crash
-rw------- 1 inaddy inaddy 52717 May 21 20:06 libwbclient0.0.crash
-rw------- 1 inaddy inaddy 52094 May 21 20:06 libpam-winbind.0.crash
-rw-r----- 1 inaddy inaddy 75007 May 21 20:06 _bin_tar.0.crash
-rw------- 1 inaddy inaddy 516096 May 21 20:06 core
-rw-r----- 1 inaddy inaddy 73918 May 21 20:06 _bin_ls.1107.crash
-rw-r----- 1 inaddy inaddy 73430 May 21 20:06 _bin_tar.1107.crash
-rw-r----- 1 inaddy inaddy 40434 May 21 20:06 _usr_lib_openssh_sftp-server.1107.crash
-rw-r----- 1 inaddy inaddy 41838 May 21 20:07 _usr_bin_scp.1107.crash
-rw-r----- 1 inaddy inaddy 56520 May 21 20:07 _bin_ps.1107.crash

----

(gdb) bt
#0 0x00007ffff68b8b80 in __pthread_initialize_minimal_internal () from /lib/x86_64-linux-gnu/libpthread.so.0
#1 0x00007ffff68b7539 in _init () from /lib/x86_64-linux-gnu/libpthread.so.0
#2 0x00007ffff6ad0d48 in ?? () from /lib/x86_64-linux-gnu/libnss_compat.so.2
#3 0x00007ffff7dea0cd in call_init (l=0x6248c0, argc=argc@entry=4, argv=argv@entry=0x7fffffffe428, env=env@entry=0x7fffffffe450) at dl-init.c:64
#4 0x00007ffff7dea215 in call_init (env=0x7fffffffe450, argv=0x7fffffffe428, argc=4, l=<optimized out>) at dl-init.c:36
#5 _dl_init (main_map=main_map@entry=0x624d70, argc=4, argv=0x7fffffffe428, env=0x7fffffffe450) at dl-init.c:93
#6 0x00007ffff7deec40 in dl_open_worker (a=a@entry=0x7fffffffd7d8) at dl-open.c:577
#7 0x00007ffff7de9fc4 in _dl_catch_error (objname=objname@entry=0x7fffffffd7c8, errstring=errstring@entry=0x7fffffffd7d0,
    mallocedp=mallocedp@entry=0x7fffffffd7c0, operate=operate@entry=0x7ffff7dee970 <dl_open_worker>, args=args@entry=0x7fffffffd7d8)
    at dl-error.c:187
#8 0x00007ffff7dee38b in _dl_open (file=0x7fffffffda20 "libnss_compat.so.2", mode=-2147483647, caller_dlopen=<optimized out>, nsid=-2, argc=4,
    argv=0x7fffffffe428, env=0x7fffffffe450) at dl-open.c:661
#9 0x00007ffff771fe92 in do_dlopen (ptr=ptr@entry=0x7fffffffd9f0) at dl-libc.c:87
#10 0x00007ffff7de9fc4 in _dl_catch_error (objname=0x7fffffffd9d0, errstring=0x7fffffffd9e0, mallocedp=0x7fffffffd9c0,
    operate=0x7ffff771fe50 <do_dlopen>, args=0x7fffffffd9f0) at dl-error.c:187
#11 0x00007ffff771ff52 in dlerror_run (args=0x7fffffffd9f0, operate=0x7ffff771fe50 <do_dlopen>) at dl-libc.c:46
#12 __GI___libc_dlopen_mode (name=name@entry=0x7fffffffda20 "libnss_compat.so.2", mode=mode@entry=-2147483647) at dl-libc.c:163
#13 0x00007ffff770747d in nss_load_library (ni=0x623b60, ni=0x623b60) at nsswitch.c:399
#14 __GI___nss_lookup_function (ni=0x623b60, fct_name=fct_name@entry=0x7ffff776810a "getpwuid_r") at nsswitch.c:507
#15 0x00007ffff77076b5 in __GI___nss_lookup (ni=ni@entry=0x7fffffffdae0, fct_name=fct_name@entry=0x7ffff776810a "getpwuid_r",
    fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0x7fffffffdaf0) at nsswitch.c:239
#16 0x00007ffff7708280 in __GI___nss_passwd_lookup2 (ni=ni@entry=0x7fffffffdae0, fct_name=fct_name@entry=0x7ffff776810a "getpwuid_r",
    fct2_name=fct2_name@entry=0x0, fctp=fctp@entry...

Read more...

Rafael David Tinoco (inaddy) wrote :

A mechanism to remove winbind from /etc/nsswitch.conf before samba upgrades (since libnss-winbind is kept apart from packages "samba" and "samba-libs"), OR to fail the upgrade if winbind is being used, should exist to prevent such a bad thing to happen.

Rafael David Tinoco (inaddy) wrote :

According to document:

https://wiki.debian.org/MaintainerScripts

I added constrains on letting upgrade to happen for:

libnss-winbind
libpam-winbind
libwbclient0
samba-dsdb-modules
samba-libs
samba
winbind

When winbind is enabled in either /etc/nsswitch.conf or in /etc/pam.d/* files.

So, whenever trying to upgrade samba you will get something like:

----

Do you want to continue? [Y/n] y
(Reading database ... 115473 files and directories currently installed.)
Preparing to unpack .../libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.2~lp1584485~4_amd64.deb ...

Warning:

You have winbind configured in either NSS (/etc/nsswitch.conf)
or in PAM (/etc/pam.d/*). Before proceeding with the
installation, or upgrade, make sure to disable winbind!

dpkg: error processing archive /var/cache/apt/archives/libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.2~lp1584485~4_amd64.deb (--unpack):
 subprocess new pre-installation script returned error exit status 1
dpkg: error while cleaning up:
 subprocess new post-removal script returned error exit status 1

----

That will save you from crashing your system because of NSS being broken.

Attaching debdiffs...

description: updated
tags: added: sts
description: updated
Changed in samba (Ubuntu):
status: Confirmed → In Progress
tags: added: patch
Sebastien Bacher (seb128) wrote :

unsubscribing the normal sponsors since that should go through security

Marc Deslauriers (mdeslaur) wrote :

This isn't a security regression, it's a samba package upgrade issue that also applies for regular updates. I believe this should be handled as a SRU.

Marc Deslauriers (mdeslaur) wrote :

I don't believe the debdiffs provide a valid solution to this issue. Here is an irc discussion with infinity where he presented a better solution:

<mdeslaur> infinity: I'd appreciate your thoughts on the best way to address bug 1584485
<mdeslaur> infinity: that approach doesn't look sane to me, do you have any suggestions for something better?
<infinity> mdeslaur: The proposed fix is certainly not reasonable. I'll ponder the problem over breakfast.
 mdeslaur: Is it a question of ABI breaks, or ABI additions? It seems the real issue is bad dependencies between libnss-winbind and its deps.
<infinity> Oh, because samba-libs is a big blob os libraries that shouldn't be packaged together.
 Whee.
<mdeslaur> infinity: if the abi changes, running processes die because they're running with the old version of libnss-winbind
 infinity: I guess abi additions should be fine, but I'm not sure how careful samba preserves abi between versions
<infinity> mdeslaur: Running processes should be fine, it's new processes that explode miserably. (Well, or running processes calling into NSS anew, but that's still "new", from my POV)
<infinity> mdeslaur: But yeah, the problem is clearly a lack of sane ABI versioning on "samba-libs" and, thus, incorrectly weak deps between libnss-winbind and samba-libs.
 mdeslaur: Doesn't look like something one can properly fix in an SRU, since the fix is to actually version the *#^)! libraries correctly.
<mdeslaur> oh, right, new processes in that specific case
<infinity> mdeslaur: But having samba-libs Break libnss-winbind << Binary-Version, and disable/reenable winbind on preinst/postinst would "work". Though, gross.
<mdeslaur> I thought I saw a bug where existing processes were crashing because of an incompatibility with a newer winbind service
<infinity> Existing processes will also explode if they call into NSS fresh, NSS is effectively a dlopen().
<infinity> But yeah, I consider dlopen "new processes" from the POV of hunting library ABI issues. :P
 Otherwise my head hurts.
<infinity> Anyhow, any solution that halts upgrade with "we notice you have packages installed and you're actually using them correctly; please stop using them" is not sane.
 If it can be automated to disable/reenable, that's vaguely okay, though if their setup relies on winbind resolution working, there's a gap there where the world sucks.
 But better that than crashing, I suppose.
<mdeslaur> infinity: but what happens when an existing process is running with an old libnss-winbind, and the windbind package gets upgraded to a version that is not compatible with the old libnss-winbind?
 perhaps that's not a problematic scenario
<infinity> mdeslaur: After taking a walk, it occurs to me that in the absence of proper library versioning, the more robust solution might just be for nss-winbind and pam-winbind to be statically linked to samba-libs.
 mdeslaur: That would eliminate the problem, and have the added bonus of not having to pull in a massive samba-libs package just for the small bits that the nss/pam plugins need.
<mdeslaur> hrm, that does sound reasonable

Rafael David Tinoco (inaddy) wrote :

[12:43] <infinity> tinoco: pam-winbind and nss-winbind.
[12:43] <mdeslaur> tinoco: perhaps file a debian bug also?
[12:44] <tinoco> definitely. the proposal was to bring the discussion only
[12:44] <infinity> tinoco: Only statically linked to samba-libs, of course. You still want to be dynamically linked to any properly-versioned system libs (like libc).
[12:44] <tinoco> i wasn't supper happy about the approach either
[12:44] <tinoco> infinity: definitely. gotcha
[12:44] <tinoco> i'll work on it and provide a new sru suggestion
[12:44] <tinoco> tks!
[12:45] <infinity> tinoco: But yes, in the absence of properly-versioned samba libs, I don't see a better solution.
[12:45] <tinoco> infinity: yep, me neither. there would be always a time window for things to go bad
[12:45] <infinity> tinoco: The best solution would be for upstream to properly version all those little libs in samba-libs, and then break them out into individual packages.
[12:45] <infinity> tinoco: But I don't see that happening any time soon, if ever.
[12:46] <tinoco> ok. i'll document this for future reference (if they ever go that way)
[12:46] <tinoco> and will fix it on debian also
[12:46] <tinoco> tks infinity

Rafael David Tinoco (inaddy) wrote :

[12:50] <infinity> tinoco: The "disable in samba-libs preinst, reenable in samba-libs postinst" approach would also work, but it's (a) potentially very brittle, and (b) likely next to impossible to do for pam-winbind (which probably suffers the same issue as nss-winbind).
[12:51] <tinoco> infinity: my hope was that pam-auth-update (or any other mean) could remove/re-add winbind to nsswitch
[12:51] <tinoco> but then.. if customer had a taylor made change of nsswitch.conf.. it would be no good
[12:51] <tinoco> other choice would be to remove.. but then, if user doing the installation was coming from NSS
[12:51] <tinoco> things would go bad also
[12:52] <infinity> tinoco: Right, nsswitch isn't too hard, but /etc/pam.d/* is an order of magnitude worse.
[12:52] <tinoco> just like you said before
[12:52] <tinoco> infinity: definitely
[12:52] <tinoco> i think statically compiling it for now is the best approach
[12:52] <tinoco> only way without dealing with infinitive possibilities coming from pam.d/nss

Unsubscribing sponsors until a more viable approach appears. Good luck!

Louis Bouchard (louis) on 2016-07-08
Changed in samba (Ubuntu):
assignee: Rafael David Tinoco (inaddy) → Louis Bouchard (louis-bouchard)
description: updated
Changed in samba (Ubuntu):
assignee: Louis Bouchard (louis-bouchard) → Jorge Niedbalski (niedbalski)
Jorge Niedbalski (niedbalski) wrote :

Hello,

I've modified the building scripts for compiling libnss-winbind and libpam-winbind statically against the samba-libs as was suggested by @infinity.

This fix seems to resolve the issue reported on this bug, and the reproducer is not
longer experienced.

With the patch applied:

root@samba:~# ldd /lib/x86_64-linux-gnu/security/pam_winbind.so
 linux-vdso.so.1 => (0x00007ffe0bdaf000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb246748000)
 libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007fb246539000)
 libtalloc.so.2 => /usr/lib/x86_64-linux-gnu/libtalloc.so.2 (0x00007fb24632c000)
 libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fb24611e000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb245d59000)
 /lib64/ld-linux-x86-64.so.2 (0x000055695ab59000)
 libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fb245b34000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb245930000)

root@samba:~# ldd /lib/x86_64-linux-gnu/libnss_winbind.so.2
 linux-vdso.so.1 => (0x00007fffe9195000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd3e84f7000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd3e8132000)
 /lib64/ld-linux-x86-64.so.2 (0x0000563f59046000)

Changed in samba (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jorge Niedbalski (niedbalski)
Jorge Niedbalski (niedbalski) wrote :
no longer affects: samba (Ubuntu Precise)
Changed in samba (Ubuntu Xenial):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Jorge Niedbalski (niedbalski)
Jorge Niedbalski (niedbalski) wrote :
Changed in samba (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.4.5+dfsg-2ubuntu6

---------------
samba (2:4.4.5+dfsg-2ubuntu6) zesty; urgency=high

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
    to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski <email address hidden> Wed, 02 Nov 2016 13:59:10 +0100

Changed in samba (Ubuntu):
status: In Progress → Fix Released

Hello Rafael, or anyone else affected,

Accepted samba into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.4.5+dfsg-2ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Yakkety):
status: In Progress → Fix Committed
tags: added: verification-needed
Martin Pitt (pitti) wrote :

Hello Rafael, or anyone else affected,

Accepted samba into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Xenial):
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Hello Rafael, or anyone else affected,

Accepted samba into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Trusty):
status: In Progress → Fix Committed
Jorge Niedbalski (niedbalski) wrote :

OK, I have verified that the trusty-proposed version fixes the reported issue.

The steps ran for verification:

1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
   7.1) sudo restart smbd
   7.2) sudo restart nmbd
   7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind

The segmentation fault mentioned before is not experience,
Also with the patch applied:
root@samba:~# ldd /lib/x86_64-linux-gnu/security/pam_winbind.so
 linux-vdso.so.1 => (0x00007ffe0bdaf000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb246748000)
 libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007fb246539000)
 libtalloc.so.2 => /usr/lib/x86_64-linux-gnu/libtalloc.so.2 (0x00007fb24632c000)
 libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fb24611e000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb245d59000)
 /lib64/ld-linux-x86-64.so.2 (0x000055695ab59000)
 libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fb245b34000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fb245930000)

root@samba:~# ldd /lib/x86_64-linux-gnu/libnss_winbind.so.2
 linux-vdso.so.1 => (0x00007fffe9195000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd3e84f7000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd3e8132000)
 /lib64/ld-linux-x86-64.so.2 (0x0000563f59046000)

tags: added: verification-done-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.2

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.2) trusty; urgency=medium

  * d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
   to be statically linked fixes LP: #1584485.

  * d/rules: Compile winbindd/winbindd statically.

 -- Jorge Niedbalski <email address hidden> Wed, 09 Nov 2016 15:09:11 +0100

Changed in samba (Ubuntu Trusty):
status: Fix Committed → Fix Released
Ian Gordon (ian-gordon) wrote :

With version 2:4.3.11+dfsg-0ubuntu0.14.04.2 installed libpam-winbind no longer talks to winbind
This means all authentication which involves PAM is failing for us. I have reverted to 2:4.3.11+dfsg-0ubuntu0.14.04.1 temporarily.

Is there anything I can do to help you debug this problem?

Robert Euhus (euhus-liste1) wrote :

Hello,

this change breaks PAM authentification via libpam-winbind completely in trusty. I have just checked it with a fresh install.

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1644428

Have you tried using libpam-winbind after making this change?

Regards,
Robert Euhus

Jorge Niedbalski (niedbalski) wrote :

@euhus-liste1, @ian-gordon,

- Could you please describe the error that you are experiencing (provide logs, your configuration, etc) in order to replicate the issue?

Thanks.

Martin Pitt (pitti) wrote :

Reopening for trusty as the change was reverted in bug 1644428.

Changed in samba (Ubuntu Trusty):
status: Fix Released → In Progress
tags: added: verification-failed
removed: verification-done-trusty
tags: removed: verification-needed
Robert Euhus (euhus-liste1) wrote :

I have not had the time yet to check the libpam-winbind module in xenial. But since the patch looks identical from the first look, You might want to delay it's migration from -proposed until someone has checked that the module is still working.

I'll try to find time for this tomorrow, but it's not my highest priority, since we have migrated to sssd for xenial.

Regards,
Robert Euhus

Robie Basak (racb) on 2016-11-25
description: updated
Robert Euhus (euhus-liste1) wrote :

Our setup is the following:
- The ubuntu client is joined to a MS-AD-Domain (called 'MYAD' here)
- Users from the domain can log via winbind using their domain credentials
- Winbind is set up to use cached logins (which I think is irrelevant here)
- nsswitch uses compat first, winbind then

I will attach the corresponding config files.

Yours, Robert Euhus

Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :

Here is the relevant part from auth.log, which imho has a misleading error message.

Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :
Robert Euhus (euhus-liste1) wrote :

The xenial package for libpam-winbind from -proposed is broken as well. So I recommend stopping it before it gets to -updates (or whatever).

I will not check the package for yaketty, but I don't see why it should be working when trusty and xenial are broken.

Is there anything I can do to help debugging the problem? Reverting the patch 'fixes' my problem, but does not really solve the original issue.

Regards,
Robert Euhus

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.14.04.4

---------------
samba (2:4.3.11+dfsg-0ubuntu0.14.04.4) trusty-security; urgency=medium

  * SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
    - debian/patches/CVE-2016-2123.patch: check lengths in
      librpc/ndr/ndr_dnsp.c.
    - CVE-2016-2123
  * SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
    - debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
      source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
      source4/auth/gensec/gensec_gssapi.c.
    - CVE-2016-2125
  * SECURITY UPDATE: privilege elevation in Kerberos PAC validation
    - debian/patches/CVE-2016-2126.patch: only allow known checksum types
      in auth/kerberos/kerberos_pac.c.
    - CVE-2016-2126

 -- Marc Deslauriers <email address hidden> Mon, 12 Dec 2016 08:40:01 -0500

Changed in samba (Ubuntu Trusty):
status: In Progress → Fix Released
Andreas Hasenack (ahasenack) wrote :

I can confirm the problem reported originally in this bug (all those segfaults after the upgrade) only happen if you have winbind listed first, ahead of files or compat.

Any particular reason why that order was chosen? There will for sure be a "blip" in the winbind service during the upgrade, and having the system users fail to be resolved is bound to be catastrophic.

Andreas Hasenack (ahasenack) wrote :

The patch was reverted in artful, and will be reverted for the other affected releases because of the regression it introduced: bug #1677329, bug #1644428

Feedback from upstream was requested: https://lists.samba.org/archive/samba-technical/2017-June/121139.html

Andreas Hasenack (ahasenack) wrote :

Revised fix-1584485.patch that includes a missing library in the static build to fix bug #1677329. Patch submitted upstream to samba-technical awaiting feedback.

Changed in samba (Ubuntu):
status: Fix Released → Triaged
Andreas Hasenack (ahasenack) wrote :

Reopened the artful (devel) task, as the patch was reverted in 2:4.5.8+dfsg-2ubuntu2

Andreas Hasenack (ahasenack) wrote :

Marking as incomplete because of comment #43

Changed in samba (Ubuntu):
status: Triaged → Incomplete
Santiago Gala (sgala) wrote :

Note that when I updated Ubuntu 17.04 to the package referenced by this bug, it gave an error during install, due to the fact that /tmp is mounted as noexec in ubuntu 17.04:

Preconfiguring packages ...
Can't exec "/tmp/samba-common.config.YEmyIi": Permission denied at /usr/share/perl/5.24/IPC/Open3.pm line 178.
open2: exec of /tmp/samba-common.config.YEmyIi configure 2:4.5.8+dfsg-0ubuntu0.17.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

Andreas Hasenack (ahasenack) wrote :

I have a zesty VM and /tmp is not even in a different mountpoint: it's part of /. Did you partition your machine manually and mounted /tmp with noexec?

Mathieu Parent (math-parent) wrote :

(Debian Maintainer here)

If no one comes with a good reason to have winbind listed before compat (or before files) in nsswitch.conf, I'll add a mandatory check for this during install or upgrade of libwbclient0 and libnss-winbind.

NB: Maybe this bug should be reopened as the proposed fix was later reverted (#1677329) ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.