getent group crashes winbindd on domain controller

Bug #328874 reported by Adrien Cunin on 2009-02-13
Affects Status Importance Assigned to Milestone
The Dell Mini Project
Fix Released
samba (Ubuntu)
Steve Langasek
Mathias Gug
Steve Langasek

Bug Description

Binary package hint: samba

I encountered this bug on a hardy domain controller using winbind to fetch user/group informations from another NT domain (the Samba domain trusts the NT domain). Calling getent group just crashes winbindd, as seen in the log attached.


1. Install samba and winbind 3.0.28a-1ubuntu4.7 from hardy-updates.
2. Configure samba as an NT4 domain controller by setting 'domain logons = yes' in /etc/samba/smb.conf, and also set 'winbind enum users = yes' and 'winbind enum groups = yes'
3. Restart samba and winbind with sudo /etc/init.d/winbind restart; sudo /etc/init.d/samba restart
4. Set up a domain trust to another NT4 domain (Windows NT, or a second Samba instance) using the instructions at
5. edit /etc/nsswitch.conf to list 'group: compat winbind'
6. run 'getent group' and verify that the winbind service has stopped.
7. upgrade samba and winbind to version 3.0.28a-1ubuntu4.8 in hardy-proposed.
8. run 'getent group' again to verify that the winbind service no longer crashes.

Related branches

Adrien Cunin (adri2000) wrote :
Changed in samba:
status: Unknown → Fix Released
Mathias Gug (mathiaz) wrote :

Seems a good candidate for an Hardy SRU. Please prepare a debdiff.

Adrien Cunin (adri2000) on 2009-02-13
Changed in samba:
importance: Undecided → Medium
status: New → Confirmed
assignee: nobody → adri2000
importance: Undecided → Medium
status: New → Confirmed
Adrien Cunin (adri2000) on 2009-02-14
description: updated
Adrien Cunin (adri2000) wrote :

Steve, can you merge the latest version from unstable into jaunty before Thursday?

Changed in samba:
assignee: nobody → vorlon
status: Confirmed → In Progress
Adrien Cunin (adri2000) wrote :

Needs to be uploaded by ubuntu-main-sponsors and ACKed by ubuntu-sru, once the bug is fixed in jaunty.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:3.3.0-3ubuntu1

samba (2:3.3.0-3ubuntu1) jaunty; urgency=low

  * Merge from debian unstable, remaining changes:
    + debian/patches/VERSION.patch:
      - setup SAMBA_VERSION_SUFFIX to Ubuntu.
    + debian/smb.conf:
      - add "(Samba, Ubuntu)" to server string.
      - comment out the default [homes] share, and add a comment about
        "valid users = %S" to show users how to restrict access to
        \\server\username to only username.
      - Set 'usershare allow guests', so that usershare admins are
        allowed to create public shares in addition to authenticated
      - add map to guest = Bad user, maps bad username to guest access.
    + debian/samba.postinst:
      - When populating the new samabshare group, it is not an error
        if the user simply does not exist; test for this case and let
        the install continue instead of aborting.
    + debian/samba-common.config:
      - Do not change priority to high if dhclient3 is installed.
      - Use priority medium instead of high for the workgroup question.
    + debian/mksambapasswd.awk:
      - Do not add user with UID less than 1000 to smbpasswd.
    + debian/control:
      - Make libpam-smbpasswd depend on libpam-runtime to allow
        libpam-smbpasswd for auto-configuration.
      - Make libwbclient0 replace/conflict with hardy's likewise-open.
    + debian/libpam-smbpass.pam-config, debian/libpam-smbpass.postinst,
      debian/libpam-smbpass.prerm, debian/libpam-smbpass.files,
      - Provide a config block for the new PAM framework to auto-configure
    + debian/rules:
      - enable "native" PIE hardening.
    + Add ufw integration:
      - Created debian/samba.ufw.profile
      - debian/rules, debian/samba.dirs, debian/samba.files: install
      - debian/control: have samba suggest ufw
    + debian/patches/last-char-truncation.patch:
      - Fix compatibility issue with NAS boxes still using Samba 2.2 and
    + debian/winbind.files:
      - include additional files
  * Merged changes:
    + debian/control:
      - Depend on lsb-base >= 3.2-14, which has the status_of_proc()
    + debian/samba.init:
      - Add a 'status' action.
    + debian/winbind.init:
      - Add a PID variable and a 'status' action.
  * Fixes LP: #328874.

samba (2:3.3.0-3) unstable; urgency=low

  [ Steve Langasek ]
  * Re-add smb.conf fixes that were dropped in the 3.3.0 merge to unstable.
  * Make samba conflict with samba4, not with itself.

  [ Debconf translations ]
  * Vietnamese updated. Closes: #515235.
  * Slovak updated. Closes: #515240.

samba (2:3.3.0-2) unstable; urgency=low

  * Upload to unstable

 -- Steve Langasek <email address hidden> Tue, 17 Feb 2009 07:00:42 +0000

Changed in samba:
status: Confirmed → Fix Released
Mathias Gug (mathiaz) wrote :

Uploaded to hardy-proposed

Changed in samba:
assignee: adri2000 → mathiaz
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Accepted into hardy-proposed; please test and give feedback here. Please see for documentation how to enable and use -proposed. Thank you in advance!

Adrien Cunin (adri2000) wrote :

Could the SRU Verification team take a look at this bug please?

Martin Pitt (pitti) wrote :

Adrien, since you reported the bug, your feedback about the packages in -proposed is highly appreciated as well. Does it fix the issue for you, and does the package still work for you?

Adrien Cunin (adri2000) wrote :

Martin, I cannot test the packages in -proposed because I don't have anymore access to the domain controllers where I encountered the bug, but when I had such access, I built and tested my own packages including exactly the same patch with a successful result, and I know the domain controllers have been running using these packages without any problem since then.

Adrien Cunin (adri2000) wrote :

What can be done in such a situation? Isn't the SRU Verification team supposed to test the packages?

Mathias Gug (mathiaz) wrote :

For successful verification two things need to be done:

1. make sure that the patch fixes the bug.

This can be considered done as mentioned in

2. make sure no regressions are introduced.

Considering that the code change is in winbindd, the proposed package should be tested in winbbind environment. Access to a Windows NT/200x PDC is needed. Configuring a system to use winbindd (pam+nss) to authenticate users from the NT domain would be a successful test.
See for more information.

Mathias Gug (mathiaz) wrote :

Another pointer for regression testing is to get the package through the qa-regression-testing tests from samba - although it doesn't cover winbindd (yet):

Adrien Cunin (adri2000) wrote :

Sorry to be repeating myself, but isn't the SRU Verification team supposed to do all these tests?

Also, given that the patch comes from and is approved by upstream, given that it's really tiny, given that it's been in -proposed for more than 3 months with no negative feedback (nor positive, right), would it be possible to assume it's safe to move it to -updates?

Steve Langasek (vorlon) wrote :


Please note that the SRU verification team consists of a handful of folks trying to do verifications across a wide range of packages; for bugs that require deep configurations to reproduce (like setting up an entire NT4 domain), it's far better if users of the package test the uploads since they're already familiar with it.

I'll distill the information in this bug report down to a test case that will hopefully let the verification team finish this up.

On Tue, Jun 23, 2009 at 01:32:18PM -0000, Adrien Cunin wrote:
> given that it's been in -proposed for more than 3
> months with no negative feedback (nor positive, right), would it be
> possible to assume it's safe to move it to -updates?

The lack of positive feedback makes this a risk, since this means we have no
evidence that anyone has tested this upload at all and there may be
regressions when cherry-picking this one patch.

Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer
<email address hidden> <email address hidden>

Steve Langasek (vorlon) wrote :

I've tried to put together a test case in the bug description, but apparently I've overlooked something in the setup that isn't covered very clearly in the samba howtos, because even 'wbinfo -g' fails for me when trying to run this test.

description: updated
Steve Langasek (vorlon) wrote :

Steve Beattie offered the following feedback on IRC:

<sbeattie> re samba; I ran the security team's qa-regression-tests against it, but that doesn't say much about winbind.

This still leaves some risk of regression, but is better than what we had; given the alignment with the 8.04.3 point release I'm going to go ahead with publishing, but this highlights the need for test cases to be established *before* SRUs are accepted into -proposed...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 3.0.28a-1ubuntu4.8

samba (3.0.28a-1ubuntu4.8) hardy-proposed; urgency=low

  * Added debian/patches/fix-winbindd-crash-dc.patch:
     - Fix winbindd crash when calling getent group on domain controller (LP: #328874)
     - upstream commit in 3.0 branch: db4a435d235bedf48d668a0f4418dd46f38044ed
     - upstream bug: #5906

 -- Adrien Cunin <email address hidden> Mon, 16 Feb 2009 22:16:22 +0100

Changed in samba (Ubuntu Hardy):
status: Fix Committed → Fix Released
cvi (green-ww) wrote :


I'm experiencing a similar bug with winbind version 3.3.2 in Ubuntu Jaunty. With an almost identical setup with workstations authenticating against a samba PDC (ldap backend). wbinfo -u & -g works correctly as well as getent passwd, but getent group cause winbind to crash. Using su to log in as a doman member will log me in but the group information is missing as winbind has died during the process.

Changed in samba:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.