Ubuntu
samba package

Samba automatic account creation assumes local accounts

Bug #342056 reported by Aaron J. Zirbes
2
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
Wishlist
Unassigned
Declined for Intrepid by Steve Langasek

Bug Description

Binary package hint: samba

Samba's mksmbpasswd, called from samba postinst, should not create accounts if the passwd or shadow line of /etc/nsswitch.conf contains "ldap" (or in that case, anything other than "compat" or "files")

It tried creating hundreds of user accounts that were from LDAP.

If nsswitch.conf is using LDAP, there is a VERY HIGH CHANCE that Samba will be using LDAP as well, and therefore smbpasswd is unnecessary.

ProblemType: Package
Architecture: amd64
DistroRelease: Ubuntu 8.10
ErrorMessage: subprocess post-installation script killed by signal (Interrupt)
NonfreeKernelModules: fglrx
Package: samba 2:3.2.3-1ubuntu3.4
SourcePackage: samba
Title: package samba 2:3.2.3-1ubuntu3.4 failed to install/upgrade: subprocess post-installation script killed by signal (Interrupt)
Uname: Linux 2.6.27-11-generic x86_64

Revision history for this message
Aaron J. Zirbes (ajz) wrote :
Revision history for this message
Aaron J. Zirbes (ajz) wrote :

I've created a diff file patch for the following files. Please review and test.

debian/samba.postinst
packaging/Debian/debian-unstable/samba.postinst
packaging/Debian/debian-sarge/samba.postinst
packaging/Debian/debian-woody/samba.postinst

Changed in samba:
assignee: nobody → ajz
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

This additional variable is unnecessary, the check should simply modify the default for the 'GENERATE_SMBPASSWD' variable if anything.

Also, I don't agree that it's correct to assume "users in LDAP" implies "samba in LDAP". Even if it does, the samba package won't read from LDAP out of the box, it will require additional configuration after installation - so I don't think it's unreasonable to continue to populate passdb.tdb by default.

And normally, 'getent passwd' will not enumerate users from LDAP. It's strange that it does in your case.

Revision history for this message
Chuck Short (zulcss) wrote :

Probably too late for lucid now. Will look again for lucid+1.

chuck

Changed in samba (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Aaron J. Zirbes (ajz) wrote :

As our organization is moving away from NT4 style domains, our Samba servers are being moved into AD, and I'll no longer be able to test this bug. (It also will no longer affect me)

Revision history for this message
Aaron J. Zirbes (ajz) wrote :

Bump.

Just did a few fresh installs of lucid and this install script iterated through all 200+ accounts in the LDAP directory. Each account takes 3 seconds causing the total install time to take over 5 minutes.

THIS IS A BAD THING. THIS NEEDS TO BE FIXED.

Chuck Short (zulcss)
Changed in samba (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Christian Perrier (bubulle) wrote :

The mksmbpasswd call has been dropped in Debian 2:3.6.5-2. So that should make it in Ubuntu one day or another

Jelmer Vernooij (jelmer)
Changed in samba (Ubuntu):
assignee: Aaron J. Zirbes (ajz) → nobody
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.