Your message dated Sun, 02 Jan 2022 11:03:34 +0000 with message-id <e1n3yee-0005j9...@fasolo.debian.org> and subject line Bug#1002047: fixed in nss-pam-ldapd 0.9.12-2 has caused the Debian Bug report #1002047, regarding nslcd silently modifies /etc/nslcd.conf on upgrade, breaking authentication to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1002047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002047 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: nslcd Version: 0.9.11-1 Severity: serious Justification: Policy 10.7.3 X-Debbugs-Cc: debian...@burzmali.com Dear Maintainer, The postinst script of nslcd silently modifies the configuration file /etc/nslcd.conf on package upgrades. It rewrites or adds settings without notification to the administrator. In my case, the script appended "base dc=olddomain,dc=example,dc=org" during the dist-upgrade from Buster to Bullseye. After reboot, remote and local login to the server was broken except for root due to this change. ("pam_ldap(login:account): LDAP authorisation check failed; user=myuser; err=Permission denied"). The postinst script reused a previous domain name that had been manually overwritten in the configuration file after the initial installation. It also failed to consider the more precise "bases" that were already configured: base passwd ou=people,dc=newdomain,dc=example,dc=org base shadow ou=people,dc=newdomain,dc=example,dc=org base group ou=groups,dc=newdomain,dc=example,dc=org In a related manner, in #819961, the script tried (and failed) to rewrite the bindpw setting. I would have expected the script to not modify the existing configuration or at least to warn me it had been modified. -- System Information: Debian Release: 11.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-10-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages nslcd depends on: ii adduser 3.118 ii ca-certificates 20210119 ii debconf [debconf-2.0] 1.5.77 ii libc6 2.31-13+deb11u2 ii libgssapi-krb5-2 1.18.3-6+deb11u1 ii libldap-2.4-2 2.4.57+dfsg-3 ii lsb-base 11.1.0 Versions of packages nslcd recommends: ii bind9-host [host] 1:9.16.22-1~deb11u1 ii ldap-utils 2.4.57+dfsg-3 ii libnss-ldapd [libnss-ldap] 0.9.11-1 ii libpam-ldapd [libpam-ldap] 0.9.11-1 ii nscd 2.31-13+deb11u2 ii nslcd-utils 0.9.11-1 Versions of packages nslcd suggests: pn kstart <none> -- debconf information excluded -- /etc/nslcd.conf before upgrade # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # Daemon configuration uid nslcd gid nslcd # LDAP server uri ldaps://ldap.example.org ldap_version 3 tls_reqcert demand tls_cacertfile /etc/ssl/certs/ca-certificates.crt binddn cn=servername,ou=servers,dc=newdomain,dc=example,dc=org bindpw *removed* # Mapping scope children base passwd ou=people,dc=newdomain,dc=example,dc=org base shadow ou=people,dc=newdomain,dc=example,dc=org base group ou=groups,dc=newdomain,dc=example,dc=org filter passwd (objectClass=posixAccount) filter shadow (objectClass=posixAccount) filter group (gidNumber=*) map passwd gecos "${cn} (LDAP)" map passwd loginShell "${loginShell:-/bin/bash}" map shadow userPassword userPassword map shadow shadowExpire "${isDisabled:+1}" map group userPassword "*" # Local users nss_initgroups_ignoreusers ALLLOCAL nss_min_uid 20000 # Authorization pam_authc_ppolicy yes pam_authc_search BASE pam_authz_search (&(objectClass=posixAccount)(uid=$username)(!(isDisabled=*))(!(pwdAccountLockedTime=*))) --
--- End Message ---
--- Begin Message ---Source: nss-pam-ldapd Source-Version: 0.9.12-2 Done: Arthur de Jong <adej...@debian.org> We believe that the bug you reported is fixed in the latest version of nss-pam-ldapd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1002...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Arthur de Jong <adej...@debian.org> (supplier of updated nss-pam-ldapd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 02 Jan 2022 11:45:29 +0100 Source: nss-pam-ldapd Architecture: source Version: 0.9.12-2 Distribution: unstable Urgency: medium Maintainer: Arthur de Jong <adej...@debian.org> Changed-By: Arthur de Jong <adej...@debian.org> Closes: 819961 1002047 Changes: nss-pam-ldapd (0.9.12-2) unstable; urgency=medium . * Properly escape square brackets in nslcd.conf changes (closes: #819961) * Only create socket directory from init script (LP: #1020303) * Retain empty values in nslcd.conf (closes: #1002047) Checksums-Sha1: 9e931fd5e28fa1507101fed70afbc02136805329 2632 nss-pam-ldapd_0.9.12-2.dsc 4f595358c3c994db1116bb414a2fcf9c16af5dcf 112088 nss-pam-ldapd_0.9.12-2.debian.tar.xz 336d37994f701e40b635961f581773e5aac1dc0e 10562 nss-pam-ldapd_0.9.12-2_amd64.buildinfo Checksums-Sha256: 965502c558c060fd5d731a33597325b9173ddd887d787960d9de4a686f6cfe2d 2632 nss-pam-ldapd_0.9.12-2.dsc 84ec2ad81d04d9400a50ffb41636bb38ccd7774d3da7989a229f5666cbd671fc 112088 nss-pam-ldapd_0.9.12-2.debian.tar.xz 9c2a91ca536eca74556b4c8b3f8f768b5f502c5394d2e9c9b303a441246a4806 10562 nss-pam-ldapd_0.9.12-2_amd64.buildinfo Files: 8bda28b0a815de2e38cc1ac83addcdc9 2632 admin optional nss-pam-ldapd_0.9.12-2.dsc 4c00fe7ec7e9a5e13384286024027928 112088 admin optional nss-pam-ldapd_0.9.12-2.debian.tar.xz 385d6321c44b3167ba38ed38515edb27 10562 admin optional nss-pam-ldapd_0.9.12-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEERS7Cy2XPaMKhrb9fKot0aBDgr8EFAmHRgssACgkQKot0aBDg r8E13xAAjg5bCAZ++j1GmgOV7l3kJA5Y+tmQmzTploLQqprHKqysDPcgPg56i8KE l8VjNMKJGcLCjLsaRR0zmb63n10Whk4wyG6qX0tb8Tdn/IXw8LZ/4J78Vj0INN+U mIRSx3E64D4HjEZQNQjTOcMwxh5I5P4Lxv4yzuvHFGz6mt26O09tH3180EoXS8Tg cY6e+L4bgwtixYG9OrvyYHpaGipeq9YgNcmc7clXqGpoVEjOKqpf2y7tFGMdj5px GIztgDxheEntzSxZDvJSZiGGLWnQsVwd/KqZaIRevsc+NpvfBck8vTqJrDoLnPnt u8ZyYMkg3VARgoKtjupIod/9ZlReDeJRSDKEyeXSC0LMx7k6wMAyR5RiHOOrRLGS Pvy/Ios1yEsfloGOUkfSgLI91F0Zf9Z/WQesMDCfUs8m0nhDcJVwgJ0j+bOoMRp7 z0p74o4qohYv0zTIg9BQQWhPwqC97ORnBifIu5g+kg6Q0vF1sOl3K6jzPV9RhhxO bMyRAGmxqIfxilSORcodi2RZ5TXRykbstNZZJ8biRUK6UTsRuAppAsBoF6tUkpbS vw9Buih2vKESp3/1JCj6YSKuyxx9agUmxJ41DgR/oOmap0oPLR5Bk5E+uHa6J2JI VMXo6lKs065Z4idDF5VUhUA0r5VmgS0Lvh6LxJam7ctNI9yErHE= =eLqx -----END PGP SIGNATURE-----
--- End Message ---
