Trying to build statically linked nss-winbind & pam-winbind

Louis Bouchard louis.bouchard at ubuntu.com
Tue Oct 11 10:01:30 UTC 2016 

Hello,

Le 10/10/2016 18:48, Andreas Schneider a écrit :
> On Monday, 10 October 2016 17:56:23 CEST Louis Bouchard wrote:
>> Hello,
>>
>> I am working in fixing Ubuntu[1] and Debian[2] bugs occuring when upgrading
>> the libnss-winbind and libpam-winbind packages.
>>
>> One option is to provide those libraries as statically linked to avoid ABI
>> breakage when upgrading. This has happened when commands were expecting the
>> old library while the new one is in place.
> 
> This will not work. There is a protocol used between libwbclient and winbind. 
> These packages NEED to be the same version. If you link pam_winbind and 
> nss_winbind statically and winbind gets updated it is likely that your module 
> it not able to talk to winbind anymore!
> 
> The PAM and NSS module and libwbclient need to be updated together with 
> winbind.
> 
> When upgrading PAM and NSS module, the machine probably needs a reboot so that 
> changes are applied.
> 
> 
> To make it clear this is not a Samba issue! It is how PAM and NSS works ...
> 
> 
> Cheers,
> 
> 
> 	-- andreas
> 

First of all, thanks Andreas for your quick reply. While I agree with your
statement, maybe I wasn't clear enough on explaining the problem : The issue
occurs when UPGRADING the libnss-winbind and/or libpam-winbind along with
winbind and libwbclient (they all depend on each other from a packaging point of
view).

If the following configuration exists in /etc/nsswitch.conf :

passwd: winbind compat

there is a window of "opportunity" where commands issued by the packaging
scripts may do dlopen on the new winbind libraries while the *new* shared
libraries part of the samba-lib packages are not yet available. This can lead to
SEGV from those commands, which is exactly what happened during a samba package
upgrade (see LP: #1584485 [1]).

Being able to statically link libnss-winbind and libpam-winbind especially
against the libraries that are part of the samba-lib packages would alleviate
this situation and allow a safe upgrade path for their package.

Kind regards,

..Louis


[1] https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485
-- 
Louis Bouchard
Software engineer,
Ubuntu Developer / Debian Maintainer
GPG : 429D 7A3B DD05 B6F8 AF63  B9C4 8B3D 867C 823E 7A61

More information about the samba-technical mailing list