Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected] Control: affects -1 + src:samba User: [email protected] Usertags: unblock
Please unblock package samba [ Reason ] There are several changes in this debian release, a few minor packaging fixes, a bugfix from upstream for #1109005, and a long-forgotten fix for another issue, which I wasn't aware of until very recently (when it hit our setup), - #907318. While I've no single doubt about the other changes, - these should go in for trixie, I'm a bit uncertain about the #907318 fix - it changes pam config for winbind (for domain logons) to - finally - include pam-winbind in the account section. While it works fine in our setup (where accounting was missing for years), and while exactly the same setup is done in sssd package (an alternative login mechanism for active directory users), there might be some yet unknown surprize still, which is not a good thing to have this late in the release cycle. Yet I think this change is worth the effort to have in trixie (finally!). [ Impact ] The bugfix for #1109005 should definitely go in, without it, a multi-site Active Directory setup is unreliable and winbind doesn't really work if a remote site becomes unreachable (which isn't an uncommon thing). [ Tests ] This release passes all the usual testing, which is not a surprize having in mind the changes in there - which are minor packaging fixes and a bugfix from upstream. For the fix for #907318, - I verified it works as intended in our setup, and I also tried a few different setups to see how it works in other conditions, - all is working fine so far. [ Risks ] The only possible risky situation is with the pam-winbind fix (#907318). However, having in mind I tested this change in several different scenarious, and other distributions use pam-winbind in a similar (to the new variant) way, there should be no surprizes here. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] The "other minor packaging changes", strictly speaking, are not exactly mandatory, - they're fixing small defects which don't have much effect on the functionality of the package, just makes it look less nice, so to say. Here's a break-down for each change: + * d/python3-talloc.symbols.in: add forgotten epoch number for recent versions + (this doesn't actually affect anything since there were no new symbols with + these versions, but it's better to stay correct) When introducing python3-talloc.symbols, I forgot that the recent versions has epoch (2:). This fixes it just to match the reality, but since there were no actual symbols introduced with these versions of the library, this does not actually affect anything besides making the .symbols file correct. + * fix python3-talloc.symbols generation to not have -debian_revision + or +dfsg/+samba suffix in the version number - just the epoch if any + and the upstream version (fix lintian error) Another fix for python3-talloc.symbols, - wrong version number is used for the main library version symbol. It only affects lintian (who gives error for this). + * d/control: fix winbind:Enhances for libkrb5-26-heimdal which + is libkrb5-26t64-heimdal in trixie and up, keeping in mind possible + backporting to older debian/ubuntu versions (before-trixie build profile) winbind package had Enhances: libkrb5-26-heimdal instead of the renamed libkrb5-26t64-heimdal. It is just Enhances field, but yet it's better to fix it. The fix is done in a way to help me with back-porting this package to previous versions of debian (based on before-trixie build profile). The result for trixie is just the correct libkrb5-26t64-heimdal package is listed in Ehnances: field. + * debian/panic-action: make the wording more user-friendly and steer users + towards configuration and logs (Closes: #1089853) Just some rewording in the script which is invoked when samba is panicking, give a bit better idea to the user about what's going on. It come to my attention because of a bug (#1089853) where the user interpreted a samba panic (which was result of misconfiguration) as a bug in samba, which actually it is not. There's no impact of this change on regular samba operations, but in case of any trouble, the user will have slightly better idea about what's going on. So, all the "minor" packaging changes are really minor, there's much more text in here describing each change than each change is worth :) But all them makes the package just a bit better. The debdiff is below. Thanks, /mjt unblock samba/2:4.22.3+dfsg-4 diff -Nru samba-4.22.3+dfsg/debian/changelog samba-4.22.3+dfsg/debian/changelog --- samba-4.22.3+dfsg/debian/changelog 2025-07-09 17:08:31.000000000 +0300 +++ samba-4.22.3+dfsg/debian/changelog 2025-07-17 13:52:35.000000000 +0300 @@ -1,3 +1,34 @@ +samba (2:4.22.3+dfsg-4) unstable; urgency=medium + + * fix python3-talloc.symbols generation to not have -debian_revision + or +dfsg/+samba suffix in the version number - just the epoch if any + and the upstream version (fix lintian error) + + -- Michael Tokarev <[email protected]> Thu, 17 Jul 2025 13:52:35 +0300 + +samba (2:4.22.3+dfsg-3) unstable; urgency=medium + + [ Sascha Lucas ] + * winbind pam-config: fix account section to actually execute pam_winbind + entries after usually successful cal to pam_unix, in a way how it's done + in sssd (Closes: #907318) + + [ Douglas Bagnall ] + * debian/panic-action: make the wording more user-friendly and steer users + towards configuration and logs (Closes: #1089853) + + [ Michael Tokarev ] + * d/python3-talloc.symbols.in: add forgotten epoch number for recent versions + (this doesn't actually affect anything since there were no new symbols with + these versions, but it's better to stay correct) + * d/control: fix winbind:Enhances for libkrb5-26-heimdal which + is libkrb5-26t64-heimdal in trixie and up, keeping in mind possible + backporting to older debian/ubuntu versions (before-trixie build profile) + * libads-fix-get_kdc_ip_string.patch (upstream fix for #1109005) + (Closes: #1109005) + + -- Michael Tokarev <[email protected]> Tue, 15 Jul 2025 12:42:04 +0300 + samba (2:4.22.3+dfsg-2) unstable; urgency=medium * Revert "d/control,d/rules: ensure we use the most recent talloc/tevent/tdb" diff -Nru samba-4.22.3+dfsg/debian/control samba-4.22.3+dfsg/debian/control --- samba-4.22.3+dfsg/debian/control 2025-07-09 17:08:03.000000000 +0300 +++ samba-4.22.3+dfsg/debian/control 2025-07-13 12:43:43.000000000 +0300 @@ -478,7 +478,9 @@ passwd, ${misc:Depends}, ${shlibs:Depends} -Enhances: libkrb5-26-heimdal <!pkg.samba.mitkrb5> +Enhances: + libkrb5-26t64-heimdal <!pkg.samba.mitkrb5 !pkg.samba.before-trixie>, + libkrb5-26-heimdal <!pkg.samba.mitkrb5 pkg.samba.before-trixie>, Suggests: libnss-winbind, libpam-winbind # 4.16.6+dfsg-5 idmap_{script,rfc2307}.8 moved samba{,-libs} => winbind Breaks: samba (<< 2:4.16.6+dfsg-5~), samba-libs (<< 2:4.16.6+dfsg-5~), diff -Nru samba-4.22.3+dfsg/debian/panic-action samba-4.22.3+dfsg/debian/panic-action --- samba-4.22.3+dfsg/debian/panic-action 2025-07-09 16:54:43.000000000 +0300 +++ samba-4.22.3+dfsg/debian/panic-action 2025-07-13 12:43:43.000000000 +0300 @@ -24,12 +24,14 @@ echo "was called for PID $1 ($BINARYNAME)." echo - echo "This means there was a problem with the program, such as a segfault." + echo "This means the program found itself in a state from which it could not continue." + echo "It could be caused by misconfiguration, a segfault, memory allocation failure," + echo "data corruption, or some other problem." if [ -z "$BINARYNAME" ]; then echo "However, the executable could not be found for process $1." - echo "It may have died unexpectedly, or you may not have permission to debug" - echo "the process." + echo "It may have died unexpectedly, or this script may not have permission to" + echo "debug the process." exit 1 fi @@ -43,7 +45,7 @@ echo "Below is a backtrace for this process generated with gdb, which shows" echo "the state of the program at the time the error occurred. The Samba log" - echo "files may contain additional information about the problem." + echo "files should contain additional information about the problem." echo echo "If the problem persists, you are encouraged to first install the" echo "samba-dbgsym package, which contains the debugging symbols for the Samba" diff -Nru samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch --- samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.22.3+dfsg/debian/patches/libads-fix-get_kdc_ip_string.patch 2025-07-15 12:41:14.000000000 +0300 @@ -0,0 +1,36 @@ +From: Ralph Boehme <[email protected]> +Date: Fri, 4 Jul 2025 17:50:40 +0200 +Subject: libads: fix get_kdc_ip_string() ... +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: https://bugs.debian.org/1109005 +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/88572cc8f629a737a1d5b33d5800f3692895233f +Forwarded: not-needed + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15881 + +Signed-off-by: Ralph Boehme <[email protected]> +Reviewed-by: Guenther Deschner <[email protected]> + +Autobuild-User(master): Günther Deschner <[email protected]> +Autobuild-Date(master): Mon Jul 7 16:46:29 UTC 2025 on atb-devel-224 +--- + source3/libads/kerberos.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 75803500d31..145bc36cdb2 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -1230,6 +1230,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("netlogon_pings failed: %s\n", nt_errstr(status)); ++ result = talloc_move(mem_ctx, &kdc_str); + goto out; + } + +-- +2.47.2 + diff -Nru samba-4.22.3+dfsg/debian/patches/series samba-4.22.3+dfsg/debian/patches/series --- samba-4.22.3+dfsg/debian/patches/series 2025-07-09 17:03:44.000000000 +0300 +++ samba-4.22.3+dfsg/debian/patches/series 2025-07-15 12:41:14.000000000 +0300 @@ -24,3 +24,4 @@ revert-ldb-use-hexchars_upper-from-replace.h.patch replace-xpg-strerror.patch add-support-for-bind-9.20.patch +libads-fix-get_kdc_ip_string.patch diff -Nru samba-4.22.3+dfsg/debian/python3-talloc.symbols.in samba-4.22.3+dfsg/debian/python3-talloc.symbols.in --- samba-4.22.3+dfsg/debian/python3-talloc.symbols.in 2025-07-09 17:08:04.000000000 +0300 +++ samba-4.22.3+dfsg/debian/python3-talloc.symbols.in 2025-07-13 12:43:43.000000000 +0300 @@ -29,8 +29,8 @@ PYTALLOC_UTIL_2.3.5@PYTALLOC_UTIL_2.3.5 2.3.5 PYTALLOC_UTIL_2.4.0@PYTALLOC_UTIL_2.4.0 2.4.0 PYTALLOC_UTIL_2.4.1@PYTALLOC_UTIL_2.4.1 2.4.1 - PYTALLOC_UTIL_2.4.2@PYTALLOC_UTIL_2.4.2 2.4.2 - PYTALLOC_UTIL_2.4.3@PYTALLOC_UTIL_2.4.3 2.4.3 + PYTALLOC_UTIL_2.4.2@PYTALLOC_UTIL_2.4.2 2:2.4.2 + PYTALLOC_UTIL_2.4.3@PYTALLOC_UTIL_2.4.3 2:2.4.3 _pytalloc_check_type@PYTALLOC_UTIL_2.1.9 2.1.9 _pytalloc_get_mem_ctx@PYTALLOC_UTIL_2.1.6 2.1.6 _pytalloc_get_name@PYTALLOC_UTIL_2.3.0 2.3.0 diff -Nru samba-4.22.3+dfsg/debian/rules samba-4.22.3+dfsg/debian/rules --- samba-4.22.3+dfsg/debian/rules 2025-07-09 17:08:04.000000000 +0300 +++ samba-4.22.3+dfsg/debian/rules 2025-07-15 21:00:21.000000000 +0300 @@ -370,8 +370,10 @@ { \ suff=$$(${DEB_HOST_MULTIARCH}-python3-config --extension-suffix | tr _ -); \ SUFF=$$(echo "$${suff%.so}" | tr a-z- A-Z_); \ + SYM="PYTALLOC_UTIL$${SUFF}_${talloc-upstream-version}"; \ + deb_ver="${talloc-version}"; \ echo "libpytalloc-util$${suff}.2 #PACKAGE# #MINVER#"; \ - echo " PYTALLOC_UTIL$${SUFF}_${talloc-upstream-version}@PYTALLOC_UTIL$${SUFF}_${talloc-upstream-version} ${talloc-version}"; \ + echo " $${SYM}@$${SYM} $${deb_ver%%[-+]*}"; \ cat debian/python3-talloc.symbols.in; \ } > debian/python3-talloc.symbols diff -Nru samba-4.22.3+dfsg/debian/winbind.pam-config samba-4.22.3+dfsg/debian/winbind.pam-config --- samba-4.22.3+dfsg/debian/winbind.pam-config 2025-06-26 09:39:04.000000000 +0300 +++ samba-4.22.3+dfsg/debian/winbind.pam-config 2025-07-13 12:43:43.000000000 +0300 @@ -6,9 +6,10 @@ [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: [success=end default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login -Account-Type: Primary +Account-Type: Additional Account: - [success=end new_authtok_reqd=done default=ignore] pam_winbind.so + sufficient pam_localuser.so + [default=bad success=ok user_unknown=ignore] pam_winbind.so Password-Type: Primary Password: [success=end default=ignore] pam_winbind.so try_authtok try_first_pass
