[Pkg-samba-maint] Bug#532859: Bug#532859: closed by Christian Perrier <bubulle at debian.org> (Re: Bug#532859: sambaPwdLastSet became a mandatory ldapsam attribute with no warning)

[Josip Rodin]

On Mon, Aug 17, 2009 at 04:11:02PM -0700, Steve Langasek wrote:
> On Mon, Aug 17, 2009 at 09:30:13AM +0200, Christian Perrier wrote:
> > Why this one and not the gazillion other changes introduced by
> > upstream? Imagine what we would then have to document when squeeze is
> > released (with a 3.2.5->3.4.whatever bump).
> 
> > Samba's upstream often does behavioural changes similar to this one. I
> > don't think that the Debian package users would benefit from us
> > documenting each and every upstream change in NEWS.Debian. 
> 
> I think this is a change that it would have been a good idea to document in
> NEWS.Debian, or to automatically provide a transition for on upgrade, *if*
> the issue had been noticed sooner.
> 
> So long after the change was made, I don't think it makes sense to go back
> and add it to NEWS.Debian now.

People who have not done the etch->lenny upgrade yet would appreciate it.
There will be those for many months to come - and their hesitation is not
entirely unwarranted judging by this example. Right now if they stumble upon
this problem at least they get exact instructions from the BTS, but before
this bug report they were on their own, and that was four months into the
life of Samba 3.2 packages in 'stable'.

Samba-run domains are usually production server software so it stands to
reason that they won't get all that much actual upgrade testing during our
testing cycle - it takes a fair bit of work to set up in the first place
(not just on Debian machines but on the remainder of the domain as well),
I'm guessing that few people want to spend time upgrading their DCs to
testing versions and continuously risk upgrade problems. Obviously this
strategy is self-defeating if most people apply it, but still...

Anyway, this problem could be detected in the code if there was a way for
the ldapsam code to deliver the message (either to the admin or to the
generic auth code) that the LDAP backend was faulty, i.e. that it doesn't
have the mandatory sambaPwdLastSet field (at all) even though the auth code
is searching for it.

The solution would be pretty much the same as the solution for the SNAFU
SIDs in #474108 and for the sambaGroupMapping handler mentioned in #520309 -
when faced with a potential problem with the LDAP database, the code should
simply say something about it in the log; ignoring it can easily lead to
problems.

Alternatively, or in addition, the package upgrade scripts could check for
usage of ldapsam in smb.conf and if so show a debconf note saying "check
the documentation again to make sure your old LDAP backend won't break your
domain".

-- 
     2. That which causes joy or happiness.