Unable to log in with AD account after update
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | samba (Ubuntu) |
High
|
Andreas Hasenack | ||
| | Trusty |
High
|
Louis Bouchard | ||
| | Zesty |
High
|
Andreas Hasenack | ||
Bug Description
[Impact]
The pam_winbind.so module is unusable in zesty. It won't load because of missing symbols:
Jun 21 13:17:05 zesty-pamwinbin
This is due to the (re)introduction of patch fix-1584485.patch which changes the way this module is built, trying to statically link some libraries. That linking was incorrectly done.
The patch was subsequently removed, but later added back again by mistake during a sync.
A new version of the patch exists (https:/
That was done, but since this could take some time, we decided it's best to revert the patch again.
[Test Case]
In a zesty machine/container:
* sudo apt install libpam-winbind winbind samba
* tail -f /var/log/auth.log
* perform a login on this machine. Via ssh, for example
* the broken version will log this:
Jun 21 13:17:05 zesty-pamwinbin
* The fixed version will load pam_winbind.so just fine, but won't log anything (unless you fully setup winbind). It's easier to add "debug" to the pam_winbind.so lines in /etc/pam.d/common-* files and repeat the login, then you get to see it being loaded in the logs:
Jun 21 17:48:52 zesty-pamwinbin
Jun 21 17:48:52 zesty-pamwinbin
[Regression Potential]
This reversal has been done before and worked. Right now, the biggest regression potential is to add the broken patch back again.
Reversing this patch will also reintroduce bug #1584485, but I think the configuration that leads to that bug is asking for trouble and I stated as such in a comment (https:/
That being said, it is my opinion that having a working pam_winbind module benefits more users than the amount of users that could be affected by the particular configuration that leads to #1584485.
[Other Info]
Sorry for keeping both bugs open (#1644428 and #1677329), but the history on this issue is a bit complicated with multiple SRUs and regressions.
Related branches
- ChristianEhrhardt (community): Approve on 2017-07-13
- Canonical Server Core Reviewers: Pending requested 2017-08-03
- Canonical Server Team: Pending requested 2017-08-03
-
Diff: 144 lines (+12/-96)4 files modifieddebian/changelog (+12/-0)
debian/patches/series (+0/-1)
debian/rules (+0/-1)
dev/null (+0/-94)
- Nish Aravamudan: Approve on 2017-06-19
-
Diff: 128 lines (+10/-95)3 files modifieddebian/changelog (+10/-0)
debian/patches/series (+0/-1)
dev/null (+0/-94)
- Nish Aravamudan: Needs Fixing on 2017-05-30
-
Diff: 59 lines (+30/-2)2 files modifieddebian/changelog (+11/-0)
debian/patches/fix-1584485.patch (+19/-2)
| Björn Ramberg (bjoern-ramberg) wrote : | #2 |
Can confirm this, attached a log snippet on how the auth.log looks after upgrading to this version.
..
Nov 24 11:02:12 thismachine sudo: PAM unable to dlopen(
Nov 24 11:02:12 thismachine sudo: PAM adding faulty module: pam_winbind.so
..
Replacing the new pam_winbind.so with one from previous version does work.
| Robert Euhus (euhus-liste1) wrote : | #3 |
I think the error message in the log is misleading. the problem is definitely not that /lib/security/
But instead I think that something went wrong with the statically linking patch which was the only change introduced there:
http://
Regards,
Robert Euhus
| Robert Euhus (euhus-liste1) wrote : | #4 |
Sorry, forgot the link to the bug which caused this change:
https:/
| Louis Bouchard (louis) wrote : | #5 |
Hello,
The safest route for the time being is to revert back to 2:4.3.11+
| Changed in samba (Ubuntu Trusty): | |
| status: | New → Triaged |
| importance: | Undecided → High |
| assignee: | nobody → Louis Bouchard (louis-bouchard) |
| tags: | added: regression-update |
| Changed in samba (Ubuntu): | |
| status: | Confirmed → Invalid |
Hello Lyle, or anyone else affected,
Accepted samba into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in samba (Ubuntu Trusty): | |
| status: | Triaged → Fix Committed |
| tags: | added: verification-needed |
| Martin Pitt (pitti) wrote : | #7 |
For the record, this just needs to be verified to fix the regression and still generally work. This should *not* be delayed for the usual 7 day maturing period as this fixes a regression.
| Robie Basak (racb) wrote : | #8 |
Please note that 2:4.3.11+
Please could someone affected by the regression introduced by 2:4.3.11+
We should also perform regular verification to make sure that this doesn't inadvertently break something else (eg. some non-determinism in the build, or changes in the build environment). Once that's done, we can release 2:4.3.11+
| Robert Euhus (euhus-liste1) wrote : | #9 |
Is there any way I can help debugging this problem? I have no idea how to find out, what exactly is missing from the pam_winbind.so module. But I'm willing to learn! :)
I have no problem rebuilding packages to try out patches, or reinstalling from scratch. Please also let me know if You need any other info or logfiles.
| Björn Ramberg (bjoern-ramberg) wrote : | #10 |
Impressively fast guys, hats off for that!
"Please could someone affected by the regression introduced by 2:4.3.11+
Just tested the trusty-proposed version (ubuntu0.14.04.3) and I can not see the issue anymore.
"Please could someone affected by the regression introduced by 2:4.3.11+
| Lyle Dietz (ritterwolf) wrote : | #12 |
Tested 2:4.3.11+
| tags: |
added: verification-done removed: verification-needed |
| Robie Basak (racb) wrote : | #13 |
Thank you for the verifications! Could someone please also verify that "regular" samba is working using 2:4.3.11+
I just want to make sure we've checked samba generally before releasing this, in case only winbind behaviour has been tested. I don't want to introduce a second regression.
When confirming, please describe what aspect you tested.
Thanks!
| Björn Ramberg (bjoern-ramberg) wrote : | #14 |
From a machine running 4.3.11+
All works as expected from my side.
Thanks guys!
| Launchpad Janitor (janitor) wrote : | #16 |
This bug was fixed in the package samba - 2:4.3.11+
---------------
samba (2:4.3.
* Revert to version prior to the 2:4.3.11+
which is causing regression with statically linked libpam_winbind.
Removes d/p/fix-
-- Louis Bouchard <email address hidden> Thu, 24 Nov 2016 15:40:40 +0100
| Changed in samba (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
| Robie Basak (racb) wrote : Update Released | #15 |
The verification of the Stable Release Update for samba has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Robie Basak (racb) wrote : | #17 |
Thank you to everyone involved in helping verify this fix.
| Robert Euhus (euhus-liste1) wrote : | #18 |
Thanks for the quick action!
| Björn Ramberg (bjoern-ramberg) wrote : | #19 |
Indeed, thanks a lot for very quick action.
| Martino Dell'Ambrogio (tillo) wrote : | #20 |
This seems to affect 2:4.3.11+
| Louis Bouchard (louis) wrote : | #21 |
Martino,
This is probably because you upgraded from xenial-proposed which has the broken package. This one hasn't been released and should not be used.
samba | 2:4.3.11+
samba | 2:4.3.11+
I will see if it can be removed from the xenial-proposed archive
| Changed in samba (Ubuntu): | |
| status: | Invalid → Confirmed |
| Michael Iatrou (michael.iatrou) wrote : | #22 |
The same issue is observed on Xenial:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
ii libpam-
ii libpam-
ii libpam-modules-bin 1.1.8-3.2ubuntu2 amd64
ii libpam-
ii libpam-runtime 1.1.8-3.2ubuntu2 all
ii libpam-sss:amd64 1.13.4-1ubuntu1.2 amd64
ii libpam-
ii libpam0g:amd64 1.1.8-3.2ubuntu2 amd64
ii python-samba 2:4.3.11+
ii samba 2:4.3.11+
ii samba-common 2:4.3.11+
ii samba-common-bin 2:4.3.11+
ii samba-dsdb-modules 2:4.3.11+
ii samba-libs:amd64 2:4.3.11+
ii samba-vfs-modules 2:4.3.11+
From /var/log/auth.log:
10:48:56 gcc-ubuntu-tst1 sudo: gcc : problem with defaults entries ; TTY=pts/18 ; PWD=/etc/sssd ;
10:48:56 gcc-ubuntu-tst1 sudo: PAM unable to dlopen(
10:48:56 gcc-ubuntu-tst1 sudo: PAM adding faulty module: pam_winbind.so
10:48:56 gcc-ubuntu-tst1 sudo: gcc : TTY=pts/18 ; PWD=/etc/sssd ; USER=root ; COMMAND=/bin/more sssd.conf
10:48:56 gcc-ubuntu-tst1 sudo: pam_unix(
10:48:56 gcc-ubuntu-tst1 sudo: pam_unix(
| Tim Ritberg (xpert-reactos) wrote : | #23 |
Some problem on 17.04:
Apr 29 00:30:29 X1 systemd: PAM adding faulty module: pam_winbind.so
Apr 29 00:30:29 X1 systemd: pam_unix(
Apr 29 00:31:46 X1 su[4553]: PAM unable to dlopen(
Also affects Version 2:4.5.8+
| jMurr (jmurchik) wrote : | #25 |
If manually create symlink /lib/x86_
PAM unable to dlopen(
PAM adding faulty module: pam_winbind.so
| tags: | added: server-next |
| ChristianEhrhardt (paelzer) wrote : | #26 |
Not sure if this should be a new bug, opening a zesty task for now until we are sure.
Summary: pam_winbind.so fails to open
Related: bug 1584485
Repro:
$ apt-get install samba winbind libnss-winbind libpam-winbind
$ sed -i -e 's/^passwd: compat/passwd: winbind compat/' /etc/nsswitch.conf
$ systemctl restart smbd nmbd winbind
$ tail -n 5 /var/log/auth.log
May 5 06:31:43 zesty-test groupadd[19598]: group added to /etc/group: name=sambashare, GID=118
May 5 06:31:43 zesty-test groupadd[19598]: group added to /etc/gshadow: name=sambashare
May 5 06:31:43 zesty-test groupadd[19598]: new group: name=sambashare, GID=118
May 5 06:32:08 zesty-test sudo: PAM unable to dlopen(
May 5 06:32:08 zesty-test sudo: PAM adding faulty module: pam_winbind.so
Also the path is different as outlined before:
dpkg -S pam_winbind.so
libpam-
Confirmed at least on zesty for now, but I'm no windbind/pam expert so I struggle to see what is going on without diving much deeper - this might even be just the wrong way to set it up ... ? :-/
| Mario Lipinski (mario.lipinski) wrote : | #27 |
Since this bug was marked as "fixed" for the earlier release, I opened #1677329. Since I am not familiar with launchpad I failed to setup proper relationships for Zesty. So far I would say that libpam-winbind is completely broken on Zesty.
| Changed in samba (Ubuntu): | |
| importance: | Undecided → High |
| assignee: | nobody → Andreas Hasenack (ahasenack) |
| status: | Confirmed → In Progress |
| Andreas Hasenack (ahasenack) wrote : | #28 |
I asked upstream (Debian and Samba) for a review of this patch:
https:/
That could take a while, so until that happens, I'm proposing a different MP to fix this for now and that is to revert the broken patch one more time.
| Launchpad Janitor (janitor) wrote : | #29 |
This bug was fixed in the package samba - 2:4.5.8+
---------------
samba (2:4.5.
* Add extra DEP8 tests to samba (LP: #1696823):
- d/t/control: enable the new DEP8 tests
- d/t/smbclient-
- d/t/smbclient-
an authenticated connection
- d/t/smbclient-
- d/t/cifs-
* Ask the user if we can run testparm against the config file. If yes,
include its stderr and exit status in the bug report. Otherwise, only
include the exit status. (LP: #1694334)
* If systemctl is available, use it to query the status of the smbd
service before trying to reload it. Otherwise, keep the same check
as before and reload the service based on the existence of the
initscript. (LP: #1579597)
* Remove d/p/fix-
module. There is a fixed version of that patch attached to
#1677329 but it has not been vetted yet, so for now it's best
to revert (again) so that pam_winbind can be used.
(LP: #1677329, LP: #1644428)
-- Andreas Hasenack <email address hidden> Mon, 19 Jun 2017 10:49:29 -0700
| Changed in samba (Ubuntu): | |
| status: | In Progress → Fix Released |
| Changed in samba (Ubuntu Zesty): | |
| status: | New → In Progress |
| importance: | Undecided → High |
| assignee: | nobody → Andreas Hasenack (ahasenack) |
| description: | updated |
| description: | updated |
| description: | updated |
| Andrew Reis (drew-reis) wrote : | #30 |
Confirmed having this problem on fresh Zesty install:
Dell R410
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 17.04
Release: 17.04
Codename: zesty
$ dpkg -l | grep 'samba\
libnss-
libnss-
libnss3:
libpam-
libwbclient0:
python-
samba:2:
samba-common:
samba-common-
samba-dsdb-
samba-libs:
samba-vfs-
winbind:
| Andrew Reis (drew-reis) wrote : | #31 |
Updated packages to latest.
Also having this issue. After symlinking /lib/x86_
Jul 19 12:05:41 hostname login[28882]: PAM unable to dlopen(
Jul 19 12:05:41 hostname login[28882]: PAM adding faulty module: pam_winbind.so
user@hostname:/lib$ dpkg -l | grep 'samba\|winbind' | awk '{print $2" --- "$3}'
libnss-
libpam-
libwbclient0:amd64 --- 2:4.5.8+
python-samba --- 2:4.5.8+
samba --- 2:4.5.8+
samba-common --- 2:4.5.8+
samba-common-bin --- 2:4.5.8+
samba-dsdb-modules --- 2:4.5.8+
samba-libs:amd64 --- 2:4.5.8+
samba-vfs-modules --- 2:4.5.8+
winbind --- 2:4.5.8+
| Andreas Hasenack (ahasenack) wrote : | #32 |
The MP has been up for weeks. Here is a debdiff.
| piviul (piviul) wrote : | #33 |
I have the same problem. The only way to have winbind works again is to install libpam-winbind from scratch? There are no binaries for ubuntu zesty?
Piviul
| Andreas Hasenack (ahasenack) wrote : | #34 |
The fix is stuck in the sponsoring queue, which is huge: http://
I'll try again to ping someone
| Andreas Hasenack (ahasenack) wrote : | #35 |
Package was sponsored, now the sru team needs to take a look.
Hello Lyle, or anyone else affected,
Accepted samba into zesty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
| Changed in samba (Ubuntu Zesty): | |
| status: | In Progress → Fix Committed |
| tags: |
added: verification-needed verification-needed-zesty removed: verification-done |
| Andrew Reis (drew-reis) wrote : | #37 |
Confirmed working:
Distributor ID: Ubuntu
Description: Ubuntu 17.04
Release: 17.04
Codename: zesty
libnss-
libpam-
libwbclient0:amd64 2:4.5.8+
python-samba 2:4.5.8+
samba 2:4.5.8+
samba-common 2:4.5.8+
samba-common-bin 2:4.5.8+
samba-dsdb-modules 2:4.5.8+
samba-libs:amd64 2:4.5.8+
samba-vfs-modules 2:4.5.8+
winbind 2:4.5.8+
| Andreas Hasenack (ahasenack) wrote : | #38 |
@drew-reis, thanks for the verification. Can you please update the bug tags according to the instructions in comment #36?
| tags: |
added: verification-done-zesty removed: verification-needed verification-needed-zesty |
| Launchpad Janitor (janitor) wrote : | #39 |
This bug was fixed in the package samba - 2:4.5.8+
---------------
samba (2:4.5.
* Remove the fix for LP #1584485 as it builds a broken pam_winbind
module. There is a revised version of that patch attached to
#1584485 but it has not been vetted yet, so for now it's best
to revert (again) so that pam_winbind can be used.
(LP: #1677329, LP: #1644428)
- d/p/fix-
- d/rules: remove winbind static build option
-- Andreas Hasenack <email address hidden> Thu, 13 Jul 2017 14:44:16 -0300
| Changed in samba (Ubuntu Zesty): | |
| status: | Fix Committed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.