getent group crashes winbindd on domain controller

Seems a good candidate for an Hardy SRU. Please prepare a debdiff.

Steve, can you merge the latest version from unstable into jaunty before Thursday?

Needs to be uploaded by ubuntu-main-sponsors and ACKed by ubuntu-sru, once the bug is fixed in jaunty.

This bug was fixed in the package samba - 2:3.3.0-3ubuntu1

---------------
samba (2:3.3.0-3ubuntu1) jaunty; urgency=low

  * Merge from debian unstable, remaining changes:
    + debian/patches/VERSION.patch:
      - setup SAMBA_VERSION_SUFFIX to Ubuntu.
    + debian/smb.conf:
      - add "(Samba, Ubuntu)" to server string.
      - comment out the default [homes] share, and add a comment about
        "valid users = %S" to show users how to restrict access to
        \\server\username to only username.
      - Set 'usershare allow guests', so that usershare admins are
        allowed to create public shares in addition to authenticated
        ones.
      - add map to guest = Bad user, maps bad username to guest access.
    + debian/samba.postinst:
      - When populating the new samabshare group, it is not an error
        if the user simply does not exist; test for this case and let
        the install continue instead of aborting.
    + debian/samba-common.config:
      - Do not change priority to high if dhclient3 is installed.
      - Use priority medium instead of high for the workgroup question.
    + debian/mksambapasswd.awk:
      - Do not add user with UID less than 1000 to smbpasswd.
    + debian/control:
      - Make libpam-smbpasswd depend on libpam-runtime to allow
        libpam-smbpasswd for auto-configuration.
      - Make libwbclient0 replace/conflict with hardy's likewise-open.
    + debian/libpam-smbpass.pam-config, debian/libpam-smbpass.postinst,
      debian/libpam-smbpass.prerm, debian/libpam-smbpass.files,
      debian/rules:
      - Provide a config block for the new PAM framework to auto-configure
        itself
    + debian/rules:
      - enable "native" PIE hardening.
    + Add ufw integration:
      - Created debian/samba.ufw.profile
      - debian/rules, debian/samba.dirs, debian/samba.files: install
        profile
      - debian/control: have samba suggest ufw
    + debian/patches/last-char-truncation.patch:
      - Fix compatibility issue with NAS boxes still using Samba 2.2 and
        earlier.
    + debian/winbind.files:
      - include additional files
  * Merged changes:
    + debian/control:
      - Depend on lsb-base >= 3.2-14, which has the status_of_proc()
        function.
    + debian/samba.init:
      - Add a 'status' action.
    + debian/winbind.init:
      - Add a PID variable and a 'status' action.
  * Fixes LP: #328874.

samba (2:3.3.0-3) unstable; urgency=low

  [ Steve Langasek ]
  * Re-add smb.conf fixes that were dropped in the 3.3.0 merge to unstable.
  * Make samba conflict with samba4, not with itself.

  [ Debconf translations ]
  * Vietnamese updated. Closes: #515235.
  * Slovak updated. Closes: #515240.

samba (2:3.3.0-2) unstable; urgency=low

  * Upload to unstable

 -- Steve Langasek <email address hidden> Tue, 17 Feb 2009 07:00:42 +0000

Uploaded to hardy-proposed

Accepted into hardy-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Could the SRU Verification team take a look at this bug please?

Adrien, since you reported the bug, your feedback about the packages in -proposed is highly appreciated as well. Does it fix the issue for you, and does the package still work for you?

Martin, I cannot test the packages in -proposed because I don't have anymore access to the domain controllers where I encountered the bug, but when I had such access, I built and tested my own packages including exactly the same patch with a successful result, and I know the domain controllers have been running using these packages without any problem since then.

What can be done in such a situation? Isn't the SRU Verification team supposed to test the packages?

For successful verification two things need to be done:

1. make sure that the patch fixes the bug.

This can be considered done as mentioned in https://bugs.launchpad.net/ubuntu/+source/samba/+bug/328874/comments/10.

2. make sure no regressions are introduced.

Considering that the code change is in winbindd, the proposed package should be tested in winbbind environment. Access to a Windows NT/200x PDC is needed. Configuring a system to use winbindd (pam+nss) to authenticate users from the NT domain would be a successful test.
See http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html for more information.

Another pointer for regression testing is to get the package through the qa-regression-testing tests from samba - although it doesn't cover winbindd (yet):

http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/annotate/head%3A/scripts/test-samba.py

Sorry to be repeating myself, but isn't the SRU Verification team supposed to do all these tests?

Also, given that the patch comes from and is approved by upstream, given that it's really tiny, given that it's been in -proposed for more than 3 months with no negative feedback (nor positive, right), would it be possible to assume it's safe to move it to -updates?

Adrien,

Please note that the SRU verification team consists of a handful of folks trying to do verifications across a wide range of packages; for bugs that require deep configurations to reproduce (like setting up an entire NT4 domain), it's far better if users of the package test the uploads since they're already familiar with it.

I'll distill the information in this bug report down to a test case that will hopefully let the verification team finish this up.

On Tue, Jun 23, 2009 at 01:32:18PM -0000, Adrien Cunin wrote:
> given that it's been in -proposed for more than 3
> months with no negative feedback (nor positive, right), would it be
> possible to assume it's safe to move it to -updates?

The lack of positive feedback makes this a risk, since this means we have no
evidence that anyone has tested this upload at all and there may be
regressions when cherry-picking this one patch.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

I've tried to put together a test case in the bug description, but apparently I've overlooked something in the setup that isn't covered very clearly in the samba howtos, because even 'wbinfo -g' fails for me when trying to run this test.

Steve Beattie offered the following feedback on IRC:

<sbeattie> re samba; I ran the security team's qa-regression-tests against it, but that doesn't say much about winbind.

This still leaves some risk of regression, but is better than what we had; given the alignment with the 8.04.3 point release I'm going to go ahead with publishing, but this highlights the need for test cases to be established *before* SRUs are accepted into -proposed...

This bug was fixed in the package samba - 3.0.28a-1ubuntu4.8

---------------
samba (3.0.28a-1ubuntu4.8) hardy-proposed; urgency=low

  * Added debian/patches/fix-winbindd-crash-dc.patch:
     - Fix winbindd crash when calling getent group on domain controller (LP: #328874)
     - upstream commit in 3.0 branch: db4a435d235bedf48d668a0f4418dd46f38044ed
     - upstream bug: #5906

 -- Adrien Cunin <email address hidden> Mon, 16 Feb 2009 22:16:22 +0100

Hello,

I'm experiencing a similar bug with winbind version 3.3.2 in Ubuntu Jaunty. With an almost identical setup with workstations authenticating against a samba PDC (ldap backend). wbinfo -u & -g works correctly as well as getent passwd, but getent group cause winbind to crash. Using su to log in as a doman member will log me in but the group information is missing as winbind has died during the process.