Ubuntu
samba package

libpam-winbind: unable to dlopen

Bug #1677329 reported by Mario Lipinski
80
This bug affects 15 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
High
Andreas Hasenack
Zesty
Fix Released
High
Andreas Hasenack

Bug Description

[Impact]

The pam_winbind.so module is unusable in zesty. It won't load because of missing symbols:

Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory

This is due to the (re)introduction of patch fix-1584485.patch which changes the way this module is built, trying to statically link some libraries. That linking was incorrectly done.

The patch was subsequently removed, but later added back again by mistake during a sync.

A new version of the patch exists (https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/323767), but upstream (Samba and Debian) isn't very fond of such a change and asked me to submit it for discussion to the samba-technical mailing list (https://lists.samba.org/archive/samba-technical/2017-June/121139.html).

That was done, but since this could take some time, we decided it's best to revert the patch again.

[Test Case]

In a zesty machine/container:
 * sudo apt install libpam-winbind winbind samba
 * tail -f /var/log/auth.log
 * perform a login on this machine. Via ssh, for example
 * the broken version will log this:
Jun 21 13:17:05 zesty-pamwinbind-1677329 systemd: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
 * The fixed version will load pam_winbind.so just fine, but won't log anything (unless you fully setup winbind). It's easier to add "debug" to the pam_winbind.so lines in /etc/pam.d/common-* files and repeat the login, then you get to see it being loaded in the logs:
Jun 21 17:48:52 zesty-pamwinbind-1677329 sshd[18052]: pam_winbind(sshd:session): [pamh: 0x56460f355740] ENTER: pam_sm_open_session (flags: 0x0000)
Jun 21 17:48:52 zesty-pamwinbind-1677329 sshd[18052]: pam_winbind(sshd:session): [pamh: 0x56460f355740] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)

[Regression Potential]

This reversal has been done before and worked. Right now, the biggest regression potential is to add the broken patch back again.

Reversing this patch will also reintroduce bug #1584485, but I think the configuration that leads to that bug is asking for trouble and I stated as such in a comment (https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/43). "winbind" should be listed after "files" or "compat", not before.

That being said, it is my opinion that having a working pam_winbind module benefits more users than the amount of users that could be affected by the particular configuration that leads to #1584485.

[Other Info]

Sorry for keeping both bugs open (#1644428 and #1677329), but the history on this issue is a bit complicated with multiple SRUs and regressions.

See original description
mist (yetanothermist)
Changed in samba (Ubuntu):
status: New → Incomplete
status: Incomplete → Confirmed
Revision history for this message
bernal (registrosbernal) wrote :

I'm having the same problem in a 17.04 final installation.

I can't login with an AD account.

There is some way to solve this login bug?.

Revision history for this message
Javier Urien (javierurien) wrote :

I am having the same issue.

Revision history for this message
bernal (registrosbernal) wrote :

I'm my computer this library is located in

/lib/x86_64-linux-gnu/security/pam_winbind.so

i had make a symbolic link /lib/x86_64-linux-gnu/security => /lib/security but this don't solve the problem. The system find the library but it doesn't work anyway.

I only can login with a local user.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm taking a look.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Where it works:
2:4.3.11+dfsg-0ubuntu0.14.04.7 trusty
2:4.3.11+dfsg-0ubuntu0.16.04.6 xenial
2:4.4.5+dfsg-2ubuntu5.5 yakkety

Where it fails with this dlopen error:
2:4.5.8+dfsg-0ubuntu0.17.04.1 zesty
artful: probably fails as well, as it's the same package still (but I haven't tried)

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The patch d/patches/fix-1584485.patch got reintroduced in 2:4.5.4+dfsg-1ubuntu1 for zesty and it's what causes the problem.

Previously introduced in https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.2 to fix said bug, it was quickly reverted in https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.3.

We either need to revert that patch again, or make the static linking work properly.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.3 KiB)

$ dpkg-shlibdeps -v debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so
>> Scanning debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so (for Depends field)
 Library libpthread.so.0 found in /lib/x86_64-linux-gnu/libpthread.so.0
Library libbsd.so.0 found in /lib/x86_64-linux-gnu/libbsd.so.0
Library libtalloc.so.2 found in /usr/lib/x86_64-linux-gnu/libtalloc.so.2
Library libpam.so.0 found in /lib/x86_64-linux-gnu/libpam.so.0
Library libc.so.6 found in /lib/x86_64-linux-gnu/libc.so.6
Using symbols file /var/lib/dpkg/info/libpam0g:amd64.symbols for libpam.so.0
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libpthread.so.0
Using symbols file /var/lib/dpkg/info/libtalloc2:amd64.symbols for libtalloc.so.2
Using symbols file /var/lib/dpkg/info/libbsd0:amd64.symbols for libbsd.so.0
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libc.so.6
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLookupName: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxChangeUserPasswordEx: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxCreate: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxInterfaceDetails: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxFree: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLogonUser: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcFreeMemory: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcAddNamedBlob: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLookupSid: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcSidToStringBuf: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxLogoffUserEx: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcErrorString: it's probably a plugin
dpkg-shlibdeps: warning: debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so contains an unresolvable reference to symbol wbcCtxGetpwnam: it's proba...

Read more...

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I just did a test build with this and pam_winbind worked for the super simple login test case:
http://pastebin.ubuntu.com/24536839/

diff -Nru samba-4.5.8+dfsg/debian/patches/fix-1584485.patch samba-4.5.8+dfsg/debian/patches/fix-1584485.patch
--- samba-4.5.8+dfsg/debian/patches/fix-1584485.patch 2017-02-09 00:28:33.000000000 +0000
+++ samba-4.5.8+dfsg/debian/patches/fix-1584485.patch 2017-05-08 13:08:52.000000000 +0000
@@ -83,7 +83,7 @@
        bld.SAMBA_LIBRARY('pamwinbind',
                source='pam_winbind.c',
 - deps='talloc wbclient winbind-client tiniparser pam samba_intl',
-+ deps='pamwinbind-static',
++ deps='wbclient pamwinbind-static',
                cflags='-DLOCALEDIR=\"%s/locale\"' % bld.env.DATADIR,
                realname='pam_winbind.so',
 - install_path='${PAMMODULESDIR}'

There are plenty of other code paths that have to be exercized. Maybe other libraries are missing.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

And dpkg-shlibdeps is happy:
http://pastebin.ubuntu.com/24536871/
ubuntu@andreas-zesty-samba-test:~/deb/samba/samba-4.5.8+dfsg⟫ dpkg-shlibdeps -v debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so
>> Scanning debian/libpam-winbind/lib/x86_64-linux-gnu/security/pam_winbind.so (for Depends field)
 Library libpthread.so.0 found in /lib/x86_64-linux-gnu/libpthread.so.0
Library libwbclient.so.0 found in debian/libwbclient0/usr/lib/x86_64-linux-gnu/libwbclient.so.0
Library libbsd.so.0 found in /lib/x86_64-linux-gnu/libbsd.so.0
Library libtalloc.so.2 found in /usr/lib/x86_64-linux-gnu/libtalloc.so.2
Library libpam.so.0 found in /lib/x86_64-linux-gnu/libpam.so.0
Library libc.so.6 found in /lib/x86_64-linux-gnu/libc.so.6
No associated package found for debian/libwbclient0/usr/lib/x86_64-linux-gnu/libwbclient.so.0
Using symbols file debian/libwbclient0/DEBIAN/symbols for libwbclient.so.0
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libc.so.6
Using symbols file /var/lib/dpkg/info/libtalloc2:amd64.symbols for libtalloc.so.2
Using symbols file /var/lib/dpkg/info/libc6:amd64.symbols for libpthread.so.0
Using symbols file /var/lib/dpkg/info/libbsd0:amd64.symbols for libbsd.so.0
Using symbols file /var/lib/dpkg/info/libpam0g:amd64.symbols for libpam.so.0

Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Zesty):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.8 KiB)

A quick pam_winbind authentication test worked with that modification to the patch:

http://pastebin.ubuntu.com/24539032/

May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.100.1 user=BUGTEST\andreas
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): [pamh: 0x558b74961800] ENTER: pam_sm_authenticate (flags: 0x0001)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): getting password (0x00000389)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): pam_get_item returned a password
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): Verify user 'BUGTEST\andreas'
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): PAM config: krb5_ccache_type 'FILE'
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling krb5 login flag
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling cached login flag
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): enabling request for a FILE krb5 ccache
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): request wbcLogonUser succeeded
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): user 'BUGTEST\andreas' granted access
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): Returned user was 'BUGTEST\andreas'
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:auth): [pamh: 0x558b74961800] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: Accepted password for BUGTEST\\andreas from 10.0.100.1 port 51760 ssh2
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] ENTER: pam_sm_setcred (flags: 0x0002)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_unix(sshd:session): session opened for user BUGTEST\andreas by (uid=0)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:session): [pamh: 0x558b74961800] ENTER: pam_sm_open_session (flags: 0x0000)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_winbind(sshd:session): [pamh: 0x558b74961800] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)
May 8 21:13:25 zesty-pamwinbind-1677329 sshd[1221]: pam_systemd(sshd:session): Failed to create session: No such file or directory
May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] ENTER: pam_sm_setcred (flags: 0x0002)
May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented
May 8 21:13:26 zesty-pamwinbind-1677329 sshd[1310]: pam_winbind(sshd:setcred): [pamh: 0x558b74961800] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)

and:
andr...

Read more...

Andreas Hasenack (ahasenack)
tags: added: patch
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This is a packaging merge proposal, you should use something like "dpkg-buildpackage -uc -us -b". If you just run ./configure and make in this branch you won't even get the debian patches applied. Unless I misunderstood your goal here, sorry.

Revision history for this message
jMurr (jmurchik) wrote :

Sorry, my fall!
In this version authentication through ssh at AD works without problem!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks for your test, @jmurchik!

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

I downloaded the srouce and applied the patch. However, compile failed due to allow_undefined_symbols=False. I changed to True and compile succeeded. Installed but still have the same issue. Did I miss something?

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Also, should the symlink to /lib/x86_64-linux-gnu/security still be required after this?

Revision history for this message
Andreas Hasenack (ahasenack) wrote : Re: [Bug 1677329] Re: libpam-winbind: unable to dlopen

You have to apply all the patches from the Debian package. I suggest to get
the git branch and do a dpkg-buildpackage -uc -us -b

On May 13, 2017 11:25, "Jason Lynn" <email address hidden> wrote:

> Also, should the symlink to /lib/x86_64-linux-gnu/security still be
> required after this?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677329
>
> Title:
> libpam-winbind: unable to dlopen
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/
> 1677329/+subscriptions
>

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Thanks. I was able to finally get it to build but after installing, the samba service will no longer start. It simply times out and leaves nothing the the syslog or the Samba log explaining the reason:

Job for smbd.service failed because a timeout was exceeded.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "start" failed.
● smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
   Active: failed (Result: timeout) since Mon 2017-05-15 17:18:22 EDT; 6ms ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
  Process: 2812 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=killed, signal=TERM)
 Main PID: 2812 (code=killed, signal=TERM)
      CPU: 80ms

May 15 17:16:51 ubunbtu-ws systemd[1]: Starting Samba SMB Daemon...
May 15 17:16:51 ubunbtu-ws smbd[2812]: [2017/05/15 17:16:51.993512, 0] ../lib/util/become_daemon.c:124(daemon_ready)
May 15 17:16:51 ubunbtu-ws smbd[2812]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Start operation timed out. Terminating.
May 15 17:18:22 ubunbtu-ws systemd[1]: Failed to start Samba SMB Daemon.
May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Unit entered failed state.
May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Failed with result 'timeout'.

I guess I'm just going to stay broken here until this goes live. I'm sure I did something else wrong.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I can upload the packages to a ppa for you to take a look

On Tue, May 16, 2017 at 9:20 AM, Jason Lynn <email address hidden>
wrote:

> Thanks. I was able to finally get it to build but after installing, the
> samba service will no longer start. It simply times out and leaves
> nothing the the syslog or the Samba log explaining the reason:
>
> Job for smbd.service failed because a timeout was exceeded.
> See "systemctl status smbd.service" and "journalctl -xe" for details.
> invoke-rc.d: initscript smbd, action "start" failed.
> ● smbd.service - Samba SMB Daemon
> Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor
> preset: enabled)
> Active: failed (Result: timeout) since Mon 2017-05-15 17:18:22 EDT; 6ms
> ago
> Docs: man:smbd(8)
> man:samba(7)
> man:smb.conf(5)
> Process: 2812 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=killed,
> signal=TERM)
> Main PID: 2812 (code=killed, signal=TERM)
> CPU: 80ms
>
> May 15 17:16:51 ubunbtu-ws systemd[1]: Starting Samba SMB Daemon...
> May 15 17:16:51 ubunbtu-ws smbd[2812]: [2017/05/15 17:16:51.993512, 0]
> ../lib/util/become_daemon.c:124(daemon_ready)
> May 15 17:16:51 ubunbtu-ws smbd[2812]: STATUS=daemon 'smbd' finished
> starting up and ready to serve connections
> May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Start operation timed
> out. Terminating.
> May 15 17:18:22 ubunbtu-ws systemd[1]: Failed to start Samba SMB Daemon.
> May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Unit entered failed
> state.
> May 15 17:18:22 ubunbtu-ws systemd[1]: smbd.service: Failed with result
> 'timeout'.
>
> I guess I'm just going to stay broken here until this goes live. I'm
> sure I did something else wrong.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677329
>
> Title:
> libpam-winbind: unable to dlopen
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/
> 1677329/+subscriptions
>

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Thanks. I was able to finally get it to build but after installing, the samba service will no longer start. It simply times out and leaves nothing the the syslog or the Samba log explaining the reason:

Job for smbd.service failed because a timeout was exceeded.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "start" failed.
● smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
   Active: failed (Result: timeout) since Tue 2017-05-16 09:09:00 EDT; 1min 12s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
  Process: 5765 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=killed, signal=TERM)
 Main PID: 5765 (code=killed, signal=TERM)
      CPU: 94ms

May 16 09:07:30 ubuntu-ws systemd[1]: Starting Samba SMB Daemon...
May 16 09:07:30 ubuntu-ws smbd[5765]: [2017/05/16 09:07:30.302843, 0] ../lib/util/become_daemon.c:124(daemon_ready)
May 16 09:07:30 ubuntu-ws smbd[5765]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
May 16 09:09:00 ubuntu-ws systemd[1]: smbd.service: Start operation timed out. Terminating.
May 16 09:09:00 ubuntu-ws systemd[1]: Failed to start Samba SMB Daemon.
May 16 09:09:00 ubuntu-ws systemd[1]: smbd.service: Unit entered failed state.
May 16 09:09:00 ubuntu-ws systemd[1]: smbd.service: Failed with result 'timeout'.

I guess I'm just going to stay broken here until this goes live. I'm sure I did something else wrong.

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Sorry for the double post. But yes, if that's something you would be willing to do so I can:

1.) confirm this patch does resolve the issue for me
2.) or that it doesn't and my compile went fine.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

They are building, you can check progress here: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-1677329/+packages

samba is a big package, I bet it will take a few hours to build and publish.

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Andreas, confirmed resolved with packages from your PPA. Not sure where I went wrong when I compiled from the source...but thanks again.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I asked upstream (Debian and Samba) for a review of this patch:

https://lists.samba.org/archive/samba-technical/2017-June/121139.html

That could take a while, so until that happens, I'm proposing a different MP to fix this for now and that is to revert the broken patch one more time.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.8+dfsg-2ubuntu2

---------------
samba (2:4.5.8+dfsg-2ubuntu2) artful; urgency=medium

  * Add extra DEP8 tests to samba (LP: #1696823):
    - d/t/control: enable the new DEP8 tests
    - d/t/smbclient-anonymous-share-list: list available shares anonymously
    - d/t/smbclient-authenticated-share-list: list available shares using
      an authenticated connection
    - d/t/smbclient-share-access: create a share and download a file from it
    - d/t/cifs-share-access: access a file in a share using cifs
  * Ask the user if we can run testparm against the config file. If yes,
    include its stderr and exit status in the bug report. Otherwise, only
    include the exit status. (LP: #1694334)
  * If systemctl is available, use it to query the status of the smbd
    service before trying to reload it. Otherwise, keep the same check
    as before and reload the service based on the existence of the
    initscript. (LP: #1579597)
  * Remove d/p/fix-1584485.patch as it builds a broken pam_winbind
    module. There is a fixed version of that patch attached to
    #1677329 but it has not been vetted yet, so for now it's best
    to revert (again) so that pam_winbind can be used.
    (LP: #1677329, LP: #1644428)

 -- Andreas Hasenack <email address hidden> Mon, 19 Jun 2017 10:49:29 -0700

Changed in samba (Ubuntu):
status: In Progress → Fix Released
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andrew Reis (areis422) wrote :

Does anyone have an update on this?

Confirmed still a problem on Fresh build:
Dell R410

$ uname -a
Linux HOSTNAME 4.10.0-24-generic #28-Ubuntu SMP Wed Jun 14 08:14:34 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 17.04
Release: 17.04
Codename: zesty

$ dpkg -l | grep 'samba\|winbind\|nss' | awk '{print $2":"$3}'
libnss-resolve:amd64:232-21ubuntu4
libnss-winbind:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
libnss3:amd64:2:3.28.4-0ubuntu0.17.04.2
libpam-winbind:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
libwbclient0:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
python-samba:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-common:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-common-bin:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-dsdb-modules:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-libs:amd64:2:4.5.8+dfsg-0ubuntu0.17.04.2
samba-vfs-modules:2:4.5.8+dfsg-0ubuntu0.17.04.2
winbind:2:4.5.8+dfsg-0ubuntu0.17.04.2

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The attached branch that's "ready for review" fixes it, but it needs sponsorship since I can't upload samba, and then an SRU review.

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

Hopefully that is soon. I'm still force downgrading to the packages you made after every apt update.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Debdiff that corresponds to the change in the git MP.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Mario, or anyone else affected,

Accepted samba into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.5.8+dfsg-0ubuntu0.17.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in samba (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

zesty verification

Confirming the problem with libpam-winbind:amd64 2:4.5.8+dfsg-0ubuntu0.17.04.4:

Aug 4 20:37:21 zesty-pamwinbind-1677329 sshd[4008]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Aug 4 20:37:21 zesty-pamwinbind-1677329 sshd[4008]: PAM adding faulty module: pam_winbind.so

Updating to the package in proposed:
$ apt-cache policy libpam-winbind
(...)
libpam-winbind:
  Installed: 2:4.5.8+dfsg-0ubuntu0.17.04.5
  Candidate: 2:4.5.8+dfsg-0ubuntu0.17.04.5
  Version table:
 *** 2:4.5.8+dfsg-0ubuntu0.17.04.5 500
        500 http://br.archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status

/var/log/syslog doesn't complain about the module anymore. I added "debug" to the pam_winbind lines in /etc/pam.d/common-session and got this:
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: Accepted publickey for ubuntu from 10.0.100.1 port 42160 ssh2: RSA SHA256:V7D2Jzg2FqANPnGlbAJWXMc/7AR0AidE7Rl86Bbqais
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: pam_winbind(sshd:session): [pamh: 0x555bedfe1500] ENTER: pam_sm_open_session (flags: 0x0000)
Aug 4 20:41:27 zesty-pamwinbind-1677329 sshd[6192]: pam_winbind(sshd:session): [pamh: 0x555bedfe1500] LEAVE: pam_sm_open_session returning 0 (PAM_SUCCESS)
Aug 4 20:41:27 zesty-pamwinbind-1677329 systemd-logind[428]: New session c6 of user ubuntu.

Which confirms the pam_winbind.so module was loaded.

tags: added: verification-done-zesty
removed: verification-needed-zesty
Revision history for this message
Marco Antonio Alvarez (surakin) wrote :

I confirm that libpam-winbind:amd64 2:4.5.8+dfsg-0ubuntu0.17.04.5 fixes this problem

tags: removed: verification-needed
Revision history for this message
mist (yetanothermist) wrote :

Can confirm as well that 2:4.5.8+dfsg-0ubuntu0.17.04.5 fixes the problem.

Revision history for this message
Jason Lynn (13l0y-0cooz-k4cyb) wrote :

I can confirm as well.

Revision history for this message
Nish Aravamudan (nacc) wrote :

Unsubscribing sponsors, as the patch has been sponsored.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.8+dfsg-0ubuntu0.17.04.5

---------------
samba (2:4.5.8+dfsg-0ubuntu0.17.04.5) zesty; urgency=medium

  * Remove the fix for LP #1584485 as it builds a broken pam_winbind
    module. There is a revised version of that patch attached to
    #1584485 but it has not been vetted yet, so for now it's best
    to revert (again) so that pam_winbind can be used.
    (LP: #1677329, LP: #1644428)
    - d/p/fix-1584485.patch: drop
    - d/rules: remove winbind static build option

 -- Andreas Hasenack <email address hidden> Thu, 13 Jul 2017 14:44:16 -0300

Changed in samba (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for samba has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Santiago Gala (sgala) wrote :

Note that when I updated my Ubuntu 17.04 to the package version 2:4.5.8+dfsg-0ubuntu0.17.04.5, it gave an error during install, due to the fact that /tmp is mounted as noexec in ubuntu 17.04:

Preconfiguring packages ...
Can't exec "/tmp/samba-common.config.YEmyIi": Permission denied at /usr/share/perl/5.24/IPC/Open3.pm line 178.
open2: exec of /tmp/samba-common.config.YEmyIi configure 2:4.5.8+dfsg-0ubuntu0.17.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I have a zesty VM and /tmp is not even in a different mountpoint: it's part of /. Did you partition your machine manually and mounted /tmp with noexec?

Revision history for this message
Andrew Bartlett (abartlet) wrote :

This was finally fixed properly upstream with this massive patch set https://bugzilla.samba.org/show_bug.cgi?id=14780 for Samba 4.16. A very good reason to upgrade to this release where possible.

By building a properly static (in terms of samba libs at least) pam_winbind.so, there should be no more unresolved symbols.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.