libpam-winbind: unable to dlopen

Bug #1677329 reported by Mario Lipinski on 2017-03-29
80
This bug affects 15 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
High
Andreas Hasenack
Zesty
High
Andreas Hasenack

Bug Description

[Impact]

The pam_winbind.so module is unusable in zesty. It won't load because of missing symbols:

Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory

This is due to the (re)introduction of patch fix-1584485.patch which changes the way this module is built, trying to statically link some libraries. That linking was incorrectly done.

The patch was subsequently removed, but later added back again by mistake during a sync.

A new version of the patch exists (https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/323767), but upstream (Samba and Debian) isn't very fond of such a change and asked me to submit it for discussion to the samba-technical mailing list (https://lists.samba.org/archive/samba-technical/2017-June/121139.html).

That was done, but since this could take some time, we decided it's best to revert the patch again.

[Test Case]

In a zesty machine/container:
 * sudo apt install libpam-winbind winbind samba
 * tail -f /var/log/auth.log
 * perform a login on this machine. Via ssh, for example
 * the broken version will log this:
Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
 * The fixed version will load pam_winbind.so just fine, but won't log anything (unless you fully setup winbind). It's easier to add "debug" to the pam_winbind.so lines in /etc/pam.d/common-* files and repeat the login, then you get to see it being loaded in the logs:
Jun 21 17:48:52 zesty-pamwinbind-1677329 sshd[18052]: pam_winbind(sshd:session): [pamh: 0x56460f355740] ENTER: pam_sm_open_session (flags: 0x0000)
Jun 21 17:48:52 zesty-pamwinbind-1677329 sshd[18052]: pam_winbind(sshd:session): [pamh: 0x56460f355740] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)

[Regression Potential]

This reversal has been done before and worked. Right now, the biggest regression potential is to add the broken patch back again.

Reversing this patch will also reintroduce bug #1584485, but I think the configuration that leads to that bug is asking for trouble and I stated as such in a comment (https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/43). "winbind" should be listed after "files" or "compat", not before.

That being said, it is my opinion that having a working pam_winbind module benefits more users than the amount of users that could be affected by the particular configuration that leads to #1584485.

[Other Info]

Sorry for keeping both bugs open (#1644428 and #1677329), but the history on this issue is a bit complicated with multiple SRUs and regressions.

Related branches

mist (yetanothermist) on 2017-04-03
Changed in samba (Ubuntu):
status: New → Incomplete
status: Incomplete → Confirmed
bernal (registrosbernal) wrote :

I'm having the same problem in a 17.04 final installation.

I can't login with an AD account.

There is some way to solve this login bug?.

Javier Urien (javierurien) wrote :

I am having the same issue.

bernal (registrosbernal) wrote :

I'm my computer this library is located in

/lib/x86_64-linux-gnu/security/pam_winbind.so

i had make a symbolic link /lib/x86_64-linux-gnu/security => /lib/security but this don't solve the problem. The system find the library but it doesn't work anyway.

I only can login with a local user.

Andreas Hasenack (ahasenack) wrote :

I'm taking a look.

Andreas Hasenack (ahasenack) wrote :

Where it works:
2:4.3.11+dfsg-0ubuntu0.14.04.7 trusty
2:4.3.11+dfsg-0ubuntu0.16.04.6 xenial
2:4.4.5+dfsg-2ubuntu5.5 yakkety

Where it fails with this dlopen error:
2:4.5.8+dfsg-0ubuntu0.17.04.1 zesty
artful: probably fails as well, as it's the same package still (but I haven't tried)

Andreas Hasenack (ahasenack) wrote :

The patch d/patches/fix-1584485.patch got reintroduced in 2:4.5.4+dfsg-1ubuntu1 for zesty and it's what causes the problem.

Previously introduced in https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.2 to fix said bug, it was quickly reverted in https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.3.

We either need to revert that patch again, or make the static linking work properly.

Andreas Hasenack (ahasenack) wrote :
Download full text (3.3 KiB)

$ dpkg-shlibdeps -v debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so
>> Scanning debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so (for Depends field)
Library libpthread.so.0 found in /lib/x86_64-linux-gnu/libpthread.so.0
Library libbsd.so.0 found in /lib/x86_64-linux-gnu/libbsd.so.0
Library libtalloc.so.2 found in /usr/lib/x86_64-linux-gnu/libtalloc.so.2
Library libpam.so.0 found in /lib/x86_64-linux-gnu/libpam.so.0
Library libc.so.6 found in /lib/x86_64-linux-gnu/libc.so.6
Using symbols file /var/lib/dpkg/info/libpam0g:amd64.symbols for libpam.so.0
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libpthread.so.0
Using symbols file /var/lib/dpkg/info/libtalloc2:amd64.symbols for libtalloc.so.2
Using symbols file /var/lib/dpkg/info/libbsd0:amd64.symbols for libbsd.so.0
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libc.so.6
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLookupName: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxChangeUserPasswordEx: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxCreate: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxInterfaceDetails: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxFree: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLogonUser: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcFreeMemory: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcAddNamedBlob: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLookupSid: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcSidToStringBuf: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLogoffUserEx: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcErrorString: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxGetpwnam: it's proba...

Read more...

Andreas Hasenack (ahasenack) wrote :

I just did a test build with this and pam_winbind worked for the super simple login test case:
http://pastebin.ubuntu.com/24536839/

diff -Nru samba-4.5.8+dfsg/debian/patches/fix-1584485.patch samba-4.5.8+dfsg/debian/patches/fix-1584485.patch
--- samba-4.5.8+dfsg/debian/patches/fix-1584485.patch 2017-02-09 00:28:33.000000000 +0000
+++ samba-4.5.8+dfsg/debian/patches/fix-1584485.patch 2017-05-08 13:08:52.000000000 +0000
@@ -83,7 +83,7 @@
        bld.SAMBA_LIBRARY('pamwinbind',
                source='pam_winbind.c',
 - deps='talloc wbclient winbind-client tiniparser pam samba_intl',
-+ deps='pamwinbind-static',
++ deps='wbclient pamwinbind-static',
                cflags='-DLOCALEDIR=\"%s/locale\"' % bld.env.DATADIR,
                realname='pam_winbind.so',
 - install_path='${PAMMODULESDIR}'

There are plenty of other code paths that have to be exercized. Maybe other libraries are missing.

Andreas Hasenack (ahasenack) wrote :

And dpkg-shlibdeps is happy:
http://pastebin.ubuntu.com/24536871/
ubuntu@andreas-zesty-samba-test:~/deb/samba/samba-4.5.8+dfsg⟫ dpkg-shlibdeps -v debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so
>> Scanning debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so (for Depends field)
Library libpthread.so.0 found in /lib/x86_64-linux-gnu/libpthread.so.0
Library libwbclient.so.0 found in debian/libwbclient0/usr/lib/x86_64-linux-gnu/libwbclient.so.0
Library libbsd.so.0 found in /lib/x86_64-linux-gnu/libbsd.so.0
Library libtalloc.so.2 found in /usr/lib/x86_64-linux-gnu/libtalloc.so.2
Library libpam.so.0 found in /lib/x86_64-linux-gnu/libpam.so.0
Library libc.so.6 found in /lib/x86_64-linux-gnu/libc.so.6
No associated package found for debian/libwbclient0/usr/lib/x86_64-linux-gnu/libwbclient.so.0
Using symbols file debian/libwbclient0/DEBIAN/symbols for libwbclient.so.0
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libc.so.6
Using symbols file /var/lib/dpkg/info/libtalloc2:amd64.symbols for libtalloc.so.2
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libpthread.so.0
Using symbols file /var/lib/dpkg/info/libbsd0:amd64.symbols for libbsd.so.0
Using symbols file /var/lib/dpkg/info/libpam0g:amd64.symbols for libpam.so.0

Changed in samba (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Changed in samba (Ubuntu Zesty):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Andreas Hasenack (ahasenack) wrote :
Download full text (3.8 KiB)

A quick pam_winbind authentication test worked with that modification to the patch:

http://pastebin.ubuntu.com/24539032/

May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.100.1 user=BUGTEST\andreas
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): [pamh: 0x558b74961800] ENTER: pam_sm_authenticate (flags: 0x0001)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): getting password (0x00000389)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): pam_get_item returned a password
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): Verify user 'BUGTEST\andreas'
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling krb5 login flag
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling cached login flag
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): user 'BUGTEST\andreas' granted access
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): Returned user was 'BUGTEST\andreas'
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): [pamh: 0x558b74961800] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: Accepted password for BUGTEST\\andreas from 10.0.100.1 port 51760 ssh2
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] ENTER: pam_sm_setcred (flags: 0x0002)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_unix(sshd:session): session opened for user BUGTEST\andreas by (uid=0)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:session): [pamh: 0x558b74961800] ENTER: pam_sm_open_session (flags: 0x0000)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:session): [pamh: 0x558b74961800] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_systemd(sshd:session): Failed to create session: No such file or directory
May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] ENTER: pam_sm_setcred (flags: 0x0002)
May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)

and:
andr...

Read more...

tags: added: patch
Andreas Hasenack (ahasenack) wrote :

This is a packaging merge proposal, you should use something like "dpkg-buildpackage -uc -us -b". If you just run ./configure and make in this branch you won't even get the debian patches applied. Unless I misunderstood your goal here, sorry.

jMurr (jmurchik) wrote :

Sorry, my fall!
In this version authentication through ssh at AD works without problem!

Andreas Hasenack (ahasenack) wrote :

Thanks for your test, @jmurchik!

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

I downloaded the srouce and applied the patch. However, compile failed due to allow_undefined_symbols=False. I changed to True and compile succeeded. Installed but still have the same issue. Did I miss something?

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Also, should the symlink to /lib/x86_64-linux-gnu/security still be required after this?

You have to apply all the patches from the Debian package. I suggest to get
the git branch and do a dpkg-buildpackage -uc -us -b

On May 13, 2017 11:25, "Jason Lynn" <email address hidden> wrote:

> Also, should the symlink to /lib/x86_64-linux-gnu/security still be
> required after this?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677329
>
> Title:
> libpam-winbind: unable to dlopen
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/
> 1677329/+subscriptions
>

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Thanks. I was able to finally get it to build but after installing, the samba service will no longer start. It simply times out and leaves nothing the the syslog or the Samba log explaining the reason:

Job for smbd.service failed because a timeout was exceeded.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "start" failed.
● smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
   Active: failed (Result: timeout) since Mon 2017-05-15 17:18:22 EDT; 6ms ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
  Process: 2812 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=killed, signal=TERM)
 Main PID: 2812 (code=killed, signal=TERM)
      CPU: 80ms

May 15 17:16:51 ubunbtu-ws systemd[1]: Starting Samba SMB Daemon...
May 15 17:16:51 ubunbtu-ws smbd[2812]: [2017/05/15 17:16:51.993512, 0] ../lib/util/become_daemon.c:124(daemon_ready)
May 15 17:16:51 ubunbtu-ws smbd[2812]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Start operation timed out. Terminating.
May 15 17:18:22 ubunbtu-ws systemd[1]: Failed to start Samba SMB Daemon.
May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Unit entered failed state.
May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Failed with result 'timeout'.

I guess I'm just going to stay broken here until this goes live. I'm sure I did something else wrong.

Andreas Hasenack (ahasenack) wrote :

I can upload the packages to a ppa for you to take a look

On Tue, May 16, 2017 at 9:20 AM, Jason Lynn <email address hidden>
wrote:

> Thanks. I was able to finally get it to build but after installing, the
> samba service will no longer start. It simply times out and leaves
> nothing the the syslog or the Samba log explaining the reason:
>
> Job for smbd.service failed because a timeout was exceeded.
> See "systemctl status smbd.service" and "journalctl -xe" for details.
> invoke-rc.d: initscript smbd, action "start" failed.
> ● smbd.service - Samba SMB Daemon
> Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor
> preset: enabled)
> Active: failed (Result: timeout) since Mon 2017-05-15 17:18:22 EDT; 6ms
> ago
> Docs: man:smbd(8)
> man:samba(7)
> man:smb.conf(5)
> Process: 2812 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=killed,
> signal=TERM)
> Main PID: 2812 (code=killed, signal=TERM)
> CPU: 80ms
>
> May 15 17:16:51 ubunbtu-ws systemd[1]: Starting Samba SMB Daemon...
> May 15 17:16:51 ubunbtu-ws smbd[2812]: [2017/05/15 17:16:51.993512, 0]
> ../lib/util/become_daemon.c:124(daemon_ready)
> May 15 17:16:51 ubunbtu-ws smbd[2812]: STATUS=daemon 'smbd' finished
> starting up and ready to serve connections
> May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Start operation timed
> out. Terminating.
> May 15 17:18:22 ubunbtu-ws systemd[1]: Failed to start Samba SMB Daemon.
> May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Unit entered failed
> state.
> May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Failed with result
> 'timeout'.
>
> I guess I'm just going to stay broken here until this goes live. I'm
> sure I did something else wrong.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677329
>
> Title:
> libpam-winbind: unable to dlopen
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/
> 1677329/+subscriptions
>

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Thanks. I was able to finally get it to build but after installing, the samba service will no longer start. It simply times out and leaves nothing the the syslog or the Samba log explaining the reason:

Job for smbd.service failed because a timeout was exceeded.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "start" failed.
● smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
   Active: failed (Result: timeout) since Tue 2017-05-16 09:09:00 EDT; 1min 12s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
  Process: 5765 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=killed, signal=TERM)
 Main PID: 5765 (code=killed, signal=TERM)
      CPU: 94ms

May 16 09:07:30 ubuntu-ws systemd[1]: Starting Samba SMB Daemon...
May 16 09:07:30 ubuntu-ws smbd[5765]: [2017/05/16 09:07:30.302843, 0] ../lib/util/become_daemon.c:124(daemon_ready)
May 16 09:07:30 ubuntu-ws smbd[5765]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
May 16 09:09:00 ubuntu-ws systemd[1]: smbd.service: Start operation timed out. Terminating.
May 16 09:09:00 ubuntu-ws systemd[1]: Failed to start Samba SMB Daemon.
May 16 09:09:00 ubuntu-ws systemd[1]: smbd.service: Unit entered failed state.
May 16 09:09:00 ubuntu-ws systemd[1]: smbd.service: Failed with result 'timeout'.

I guess I'm just going to stay broken here until this goes live. I'm sure I did something else wrong.

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Sorry for the double post. But yes, if that's something you would be willing to do so I can:

1.) confirm this patch does resolve the issue for me
2.) or that it doesn't and my compile went fine.

Andreas Hasenack (ahasenack) wrote :

They are building, you can check progress here: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-1677329/+packages

samba is a big package, I bet it will take a few hours to build and publish.

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Andreas, confirmed resolved with packages from your PPA. Not sure where I went wrong when I compiled from the source...but thanks again.

Andreas Hasenack (ahasenack) wrote :

I asked upstream (Debian and Samba) for a review of this patch:

https://lists.samba.org/archive/samba-technical/2017-June/121139.html

That could take a while, so until that happens, I'm proposing a different MP to fix this for now and that is to revert the broken patch one more time.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.8+dfsg-2ubuntu2

---------------
samba (2:4.5.8+dfsg-2ubuntu2) artful; urgency=medium

  * Add extra DEP8 tests to samba (LP: #1696823):
    - d/t/control: enable the new DEP8 tests
    - d/t/smbclient-anonymous-share-list: list available shares anonymously
    - d/t/smbclient-authenticated-share-list: list available shares using
      an authenticated connection
    - d/t/smbclient-share-access: create a share and download a file from it
    - d/t/cifs-share-access: access a file in a share using cifs
  * Ask the user if we can run testparm against the config file. If yes,
    include its stderr and exit status in the bug report. Otherwise, only
    include the exit status. (LP: #1694334)
  * If systemctl is available, use it to query the status of the smbd
    service before trying to reload it. Otherwise, keep the same check
    as before and reload the service based on the existence of the
    initscript. (LP: #1579597)
  * Remove d/p/fix-1584485.patch as it builds a broken pam_winbind
    module. There is a fixed version of that patch attached to
    #1677329 but it has not been vetted yet, so for now it's best
    to revert (again) so that pam_winbind can be used.
    (LP: #1677329, LP: #1644428)

 -- Andreas Hasenack <email address hidden> Mon, 19 Jun 2017 10:49:29 -0700

Changed in samba (Ubuntu):
status: In Progress → Fix Released
description: updated
description: updated
description: updated
Andrew Reis (drew-reis) wrote :

Does anyone have an update on this?

Confirmed still a problem on Fresh build:
Dell R410

$ uname -a
Linux HOSTNAME 4.10.0-24-generic #28-Ubuntu SMP Wed Jun 14 08:14:34 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 17.04
Release: 17.04
Codename: zesty

$ dpkg -l | grep 'samba\|winbind\|nss' | awk '{print $2":"$3}'
libnss-resolve:amd64:232-21ubuntu4
libnss-winbind:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
libnss3:amd64:2:3.28.4-0ubuntu0.17.04.2
libpam-winbind:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
libwbclient0:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
python-samba:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-common:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-common-bin:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-dsdb-modules:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-libs:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-vfs-modules:2:4.5.8+dfsg-0ubuntu0.17.04.2
winbind:2:4.5.8+dfsg-0ubuntu0.17.04.2

Andreas Hasenack (ahasenack) wrote :

The attached branch that's "ready for review" fixes it, but it needs sponsorship since I can't upload samba, and then an SRU review.

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Hopefully that is soon. I'm still force downgrading to the packages you made after every apt update.

Andreas Hasenack (ahasenack) wrote :

Debdiff that corresponds to the change in the git MP.

Hello Mario, or anyone else affected,

Accepted samba into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.5.8+dfsg-0ubuntu0.17.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Andreas Hasenack (ahasenack) wrote :

zesty verification

Confirming the problem with libpam-winbind:amd64 2:4.5.8+dfsg-0ubuntu0.17.04.4:

Aug 4 20:37:21 zesty-pamwinbind-1677329 sshd[4008]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Aug 4 20:37:21 zesty-pamwinbind-1677329 sshd[4008]: PAM adding faulty module: pam_winbind.so

Updating to the package in proposed:
$ apt-cache policy libpam-winbind
(...)
libpam-winbind:
  Installed: 2:4.5.8+dfsg-0ubuntu0.17.04.5
  Candidate: 2:4.5.8+dfsg-0ubuntu0.17.04.5
  Version table:
 *** 2:4.5.8+dfsg-0ubuntu0.17.04.5 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

/var/log/syslog doesn't complain about the module anymore. I added "debug" to the pam_winbind lines in /etc/pam.d/common-session and got this:
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: Accepted publickey for ubuntu from 10.0.100.1 port 42160 ssh2: RSA SHA256:V7D2Jzg2FqANPnGlbAJWXMc/7AR0AidE7Rl86Bbqais
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: pam_winbind(sshd:session): [pamh: 0x555bedfe1500] ENTER: pam_sm_open_session (flags: 0x0000)
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: pam_winbind(sshd:session): [pamh: 0x555bedfe1500] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)
Aug 4 20:41:27 zesty-pamwinbind-1677329 systemd-logind[428]: New session c6 of user ubuntu.

Which confirms the pam_winbind.so module was loaded.

tags: added: verification-done-zesty
removed: verification-needed-zesty

I confirm that libpam-winbind:amd64 2:4.5.8+dfsg-0ubuntu0.17.04.5 fixes this problem

tags: removed: verification-needed
mist (yetanothermist) wrote :

Can confirm as well that 2:4.5.8+dfsg-0ubuntu0.17.04.5 fixes the problem.

Jason Lynn (13l0y-0cooz-k4cyb) wrote :

I can confirm as well.

Nish Aravamudan (nacc) wrote :

Unsubscribing sponsors, as the patch has been sponsored.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.8+dfsg-0ubuntu0.17.04.5

---------------
samba (2:4.5.8+dfsg-0ubuntu0.17.04.5) zesty; urgency=medium

  * Remove the fix for LP #1584485 as it builds a broken pam_winbind
    module. There is a revised version of that patch attached to
    #1584485 but it has not been vetted yet, so for now it's best
    to revert (again) so that pam_winbind can be used.
    (LP: #1677329, LP: #1644428)
    - d/p/fix-1584485.patch: drop
    - d/rules: remove winbind static build option

 -- Andreas Hasenack <email address hidden> Thu, 13 Jul 2017 14:44:16 -0300

Changed in samba (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for samba has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Santiago Gala (sgala) wrote :

Note that when I updated my Ubuntu 17.04 to the package version 2:4.5.8+dfsg-0ubuntu0.17.04.5, it gave an error during install, due to the fact that /tmp is mounted as noexec in ubuntu 17.04:

Preconfiguring packages ...
Can't exec "/tmp/samba-common.config.YEmyIi": Permission denied at /usr/share/perl/5.24/IPC/Open3.pm line 178.
open2: exec of /tmp/samba-common.config.YEmyIi configure 2:4.5.8+dfsg-0ubuntu0.17.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

Andreas Hasenack (ahasenack) wrote :

I have a zesty VM and /tmp is not even in a different mountpoint: it's part of /. Did you partition your machine manually and mounted /tmp with noexec?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers