Your message dated Tue, 22 Dec 2009 22:53:52 +0000 with message-id <e1nndc0-0006e9...@ries.debian.org> and subject line Bug#552433: fixed in nss-ldapd 0.6.7.2 has caused the Debian Bug report #552433, regarding libnss-ldapd: ignores case of uids to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 552433: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552433 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libnss-ldapd Version: 0.6.7.1 Severity: grave Justification: causes non-serious data loss Hello. I've got a problem with libnss-ldpad package. In my environment, any (non-root) local user can break normal work of any other user. The problem is, nss-ldapd makes strange things with case of uids. For example: bash$ id uid=NNN(sasha) gid=ZZZ(zzz) groups=... bash$ id SasHa uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id sasha uid=NNN(SasHa) gid=ZZZ(zzz) groups=... bash$ id uid=NNN(SasHa) gid=ZZZ(zzz) groups=... So, nss now thinks that I'm SasHa, not sasha. As a result, when I run "ssh otherhost" it does not work (just because pam can't authorise SasHa, it knows only sasha). In the same way, all other Kerberos services stop working for me. I see 2 problems here: 1. The only way to "revert" me from SasHa back to sasha is LONG timeout or "nscd -i passwd" from root. Both ways may be unavailable. 2. ANY USER may call "id SasHa" on this machine, and the other user will get his things broken. Looking on changelog, I see this problem fixed in version 0.6.11: Changes: This release fixes a couple of bugs in the username to group mapping and a problem with too many uidNumber or uidNumber attributes in the LDAP server. Name lookups are now also case-sensitive for group, netgroup, passwd, protocols, RPC, services, and shadow maps. I've tried libnss-ldapd=0.7.1 (sources from sid, compiled on lenny) and it works perfectly. It will be nice to get this problem fixed in the next stable update. Thank you for your work, Alexandra. -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-ldapd depends on: ii adduser 3.110 add and remove users and groups ii debconf [debcon 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra Versions of packages libnss-ldapd recommends: ii libpam-ldap 184-4.2 Pluggable Authentication Module fo ii nscd 2.7-18 GNU C Library: Name Service Cache libnss-ldapd suggests no packages. -- debconf information: * libnss-ldapd/ldap-base: dc=oktetlabs,dc=ru * libnss-ldapd/nsswitch: passwd, group, shadow * libnss-ldapd/ldap-binddn: * libnss-ldapd/ldap-uris: ldap://ldap.oktetlabs.ru/ ldap://ldaps.oktetlabs.ru/ libnss-ldapd/clean_nsswitch: false -- Alexandra N. Kossovsky OKTET Labs (http://www.oktetlabs.ru/) Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office) e-mail: sa...@oktetlabs.ru
--- End Message ---
--- Begin Message ---Source: nss-ldapd Source-Version: 0.6.7.2 We believe that the bug you reported is fixed in the latest version of nss-ldapd, which is due to be installed in the Debian FTP archive: libnss-ldapd_0.6.7.2_i386.deb to main/n/nss-ldapd/libnss-ldapd_0.6.7.2_i386.deb nss-ldapd_0.6.7.2.dsc to main/n/nss-ldapd/nss-ldapd_0.6.7.2.dsc nss-ldapd_0.6.7.2.tar.gz to main/n/nss-ldapd/nss-ldapd_0.6.7.2.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 552...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Arthur de Jong <adej...@debian.org> (supplier of updated nss-ldapd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 20 Dec 2009 13:00:00 +0100 Source: nss-ldapd Binary: libnss-ldapd Architecture: source i386 Version: 0.6.7.2 Distribution: stable Urgency: high Maintainer: Arthur de Jong <adej...@debian.org> Changed-By: Arthur de Jong <adej...@debian.org> Description: libnss-ldapd - NSS module for using LDAP as a naming service Closes: 552433 Changes: nss-ldapd (0.6.7.2) stable; urgency=high . * security upload to proposed-updates * perform case-sensitive filtering for group, netgroup, passwd, protocols, rpc, services and shadow lookups to prevent denial of service in nscd and possibly wrong privileges assigned (closes: #552433) (fix back-ported from 0.6.11) Checksums-Sha1: deaaa551dc86e30051c24c156ab145030ebc6440 996 nss-ldapd_0.6.7.2.dsc 51664f1e757b6d747b3105bb08918978e2b32e10 373702 nss-ldapd_0.6.7.2.tar.gz c444d5a41f8e658508eef6b34df4157fc5107d4a 109846 libnss-ldapd_0.6.7.2_i386.deb Checksums-Sha256: fe627b76ea1280f76cbac0338de70c70398953312ba958cb8f2ba43d996c8b99 996 nss-ldapd_0.6.7.2.dsc 79ce6c265a78722be014c37d4125c83b7258b8dce900fa9075adbc484b034d2c 373702 nss-ldapd_0.6.7.2.tar.gz 78c4c40387d86dcadc77bae2de6b4ddfbb9a932fba49a10d72675dd47c163d7d 109846 libnss-ldapd_0.6.7.2_i386.deb Files: 077ad68ac88e262fa7883e5149569777 996 net extra nss-ldapd_0.6.7.2.dsc 88b5ce04261237073b4c1013d7c44ef6 373702 net extra nss-ldapd_0.6.7.2.tar.gz 226cb26fb6460b44c057841155b4986d 109846 net extra libnss-ldapd_0.6.7.2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAksuHx4ACgkQVYan35+NCKcRSwCdFHJX66nph9ua69naT9A8iWuN 0M4AoJ33HP3hVhka13bRknXPATdRY445 =czvZ -----END PGP SIGNATURE-----
--- End Message ---
