Trying to build statically linked nss-winbind & pam-winbind

L.P.H. van Belle belle at bazuin.nl
Tue Oct 11 12:04:16 UTC 2016 

Hai, 

 

Saw you message on samba-technical. 

Have you tried to change you nsswitch.conf to this setup. 


winbind [success=return notfound=continue unavail=continue tryagain=continue] compat



which seems more logical to me. 

 

 

Greetz, 

 

Louis

 

 

> -----Oorspronkelijk bericht-----

> Van: samba-technical [mailto:samba-technical-bounces at lists.samba.org]

> Namens Louis Bouchard

> Verzonden: dinsdag 11 oktober 2016 12:01

> Aan: Andreas Schneider; samba-technical at lists.samba.org

> Onderwerp: Re: Trying to build statically linked nss-winbind & pam-winbind

> 

> Hello,

> 

> Le 10/10/2016 18:48, Andreas Schneider a écrit :

> > On Monday, 10 October 2016 17:56:23 CEST Louis Bouchard wrote:

> >> Hello,

> >>

> >> I am working in fixing Ubuntu[1] and Debian[2] bugs occuring when

> upgrading

> >> the libnss-winbind and libpam-winbind packages.

> >>

> >> One option is to provide those libraries as statically linked to avoid

> ABI

> >> breakage when upgrading. This has happened when commands were expecting

> the

> >> old library while the new one is in place.

> >

> > This will not work. There is a protocol used between libwbclient and

> winbind.

> > These packages NEED to be the same version. If you link pam_winbind and

> > nss_winbind statically and winbind gets updated it is likely that your

> module

> > it not able to talk to winbind anymore!

> >

> > The PAM and NSS module and libwbclient need to be updated together with

> > winbind.

> >

> > When upgrading PAM and NSS module, the machine probably needs a reboot

> so that

> > changes are applied.

> >

> >

> > To make it clear this is not a Samba issue! It is how PAM and NSS works

> ...

> >

> >

> > Cheers,

> >

> >

> >   -- andreas

> >

> 

> First of all, thanks Andreas for your quick reply. While I agree with your

> statement, maybe I wasn't clear enough on explaining the problem : The

> issue

> occurs when UPGRADING the libnss-winbind and/or libpam-winbind along with

> winbind and libwbclient (they all depend on each other from a packaging

> point of

> view).

> 

> If the following configuration exists in /etc/nsswitch.conf :

> 

> passwd: winbind compat

> 

> there is a window of "opportunity" where commands issued by the packaging

> scripts may do dlopen on the new winbind libraries while the *new* shared

> libraries part of the samba-lib packages are not yet available. This can

> lead to

> SEGV from those commands, which is exactly what happened during a samba

> package

> upgrade (see LP: #1584485 [1]).

> 

> Being able to statically link libnss-winbind and libpam-winbind especially

> against the libraries that are part of the samba-lib packages would

> alleviate

> this situation and allow a safe upgrade path for their package.

> 

> Kind regards,

> 

> ..Louis

> 

> 

> [1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485

> --

> Louis Bouchard

> Software engineer,

> Ubuntu Developer / Debian Maintainer

> GPG : 429D 7A3B DD05 B6F8 AF63  B9C4 8B3D 867C 823E 7A61

 

More information about the samba-technical mailing list