mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-22 08:52:58 +02:00
0a3bdf20f58fea9c1c8ed00a08b46f7eecf92568
165 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Adolf Belka
|
f7d6648e76 |
samba: Update to version 4.21.0
- Update from 4.20.4 to 4.21.0
- Update of rootfile for x86_64, aarch64 & riscv64
- Changelog
4.21.0
Hardening of "valid users", "invalid users", "read list" and "write list"
In previous versions of Samba, if a user or group name in either of the
mentioned options could not be resolved to a valid SID, the user (or group)
would be skipped without any notification. This could result in unexpected and
insecure behaviour. Starting with this version of Samba, if any user or group
name in any of the options cannot be resolved due to a communication error with
a domain controller, Samba will log an error and the tree connect will fail.
Non existing users (or groups) are ignored.
LDAP TLS/SASL channel binding support
The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.
If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.
All client tools using ldaps also include the correct
channel bindings now.
NEW FEATURES/CHANGES
LDB no longer a standalone tarball
LDB, Samba's LDAP-like local database and the power behind the Samba
AD DC, is no longer available to build as a distinct tarball, but is
instead provided as an optional public library.
If you need ldb as a public library, say to build sssd, then use
./configure --private-libraries='!ldb'
This re-integration allows LDB tests to use the Samba's full selftest
system, including our knownfail infrastructure, and decreases the work
required during security releases as a coordinated release of the ldb
tarball is not also required.
This approach has been demonstrated already in Debian, which is already
building Samba and LDB is this way.
As part of this work, the pyldb-util public library, not known to be
used by any other software, is made private to Samba.
LDB Module API Python bindings removed
The LDB Modules API, which we do not promise a stable ABI or API for,
was wrapped in python in early LDB development. However that wrapping
never took into account later changes, and so has not worked for a
number of years. Samba 4.21 and LDB 2.10 removes this unused and
broken feature.
Changes in LDB handling of Unicode
Developers using LDB up to version 2.9 could call ldb_set_utf8_fns()
to determine how LDB handled casefolding. This is used internally by
string comparison functions. In LDB 2.10 this function is deprecated,
and ldb_set_utf8_functions() is preferred. The new function allows a
direct comparison function to be set as well as a casefold function.
This improves performance and allows for more robust handling of
degenerate cases. The function should be called just after ldb_init(),
with the following arguments:
ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */
context_variable /* possibly NULL */
casefold_function,
case_insensitive_comparison_function);
The default behaviour of LDB remains to perform ASCII casefolding
only, as if in the "C" locale. Recent versions have become
increasingly consistent in this.
Some Samba public libraries made private by default
The following Samba C libraries are currently made public due to their
use by OpenChange or for historical reasons that are no longer clear.
dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
samba-credentials, dcerpc_server, samdb
The libraries used by the OpenChange client now private, but can be
made public (like ldb above) with:
./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
The C libraries without any known user or used only for the OpenChange
server (a dead project) may be made private entirely in a future Samba
version.
If you use a Samba library in this list, please be in touch with the
samba-technical mailing list.
Using ldaps from 'winbindd' and 'net ads'
Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
impacted LDAP connections to active directory domain controllers.
Using the STARTTLS operation on LDAP port 389 connections. Starting
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
order let to 'ldap ssl = start tls' have any effect on those
connections.
'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
with the whole functionality in Samba 4.14.0, because it didn't support
tls channel bindings required for the sasl authentication.
The functionality is now re-added using the correct channel bindings
based on the gnutls based tls implementation we already have, instead
of using the tls layer provided by openldap. This makes it available
and consistent with all LDAP client libraries we use and implement on
our own.
The 'client ldap sasl wrapping' option gained the two new possible values:
'starttls' (using STARTTLS on tcp port 389)
and
'ldaps' (using TLS directly on tcp port 636).
If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
before, you can now use 'client ldap sasl wrapping = starttls'
in order to get STARTTLS on tcp port 389.
As we no longer use the openldap tls layer it is required to configure the
correct certificate trusts with at least one of the following options:
'tls trust system cas', 'tls ca directories' or 'tls cafile'.
While 'tls verify peer' and 'tls crlfile' are also relevant,
see 'man smb.conf' for further details.
New DNS hostname config option
To get `net ads dns register` working correctly running manually or during a
domain join a special entry in /etc/hosts was required. This not really
documented and thus the DNS registration mostly didn't work. With the new option
the default is [netbios name].[realm] which should be correct in the majority of
use cases.
We will also use the value to create service principal names during a Kerberos
authentication and DNS functions.
This is not supported in samba-tool yet.
Samba AD will rotate expired passwords on smartcard-required accounts
Traditionally in AD, accounts set to be "smart card require for logon"
will have a password for NTLM fallback and local profile encryption
(Windows DPAPI). This password previously would not expire.
Matching Windows behaviour, when the DC in a FL 2016 domain and the
msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain
root is set to TRUE, Samba will now expire these passwords and rotate
them shortly before they expire.
Note that the password expiry time must be set to twice the TGT lifetime for
smooth operation, e.g. daily expiry given a default 10 hour TGT
lifetime, as the password is only rotated in the second half of its
life. Again, this matches the Windows behaviour.
Provided the default 2016 schema is used, new Samba domains
provisioned with Samba 4.21 will have this enabled once the domain
functional level is set to 2016.
NOTE: Domains upgraded from older Samba versions will not have this
set, even after the functional level preparation, matching the
behaviour of upgraded Windows AD domains.
Per-user and group "veto files" and "hide files"
"veto files" and "hide files" can optionally be restricted to certain users and
groups. To apply a veto or hide directive to a filename for a specific user or
group, a parametric option like this can be used:
hide files : USERNAME = /somefile.txt/
veto files : GROUPNAME = /otherfile.txt/
For details consult the updated smb.conf manpage.
Automatic keytab update after machine password change
When machine account password is updated, either by winbind doing regular
updates or manually (e.g. net ads changetrustpw), now winbind will also support
update of keytab entries in case you use newly added option
'sync machine password to keytab'.
The new parameter allows you to describe what keytabs and how should be updated.
From smb.conf(5) manpage - each keytab can have exactly one of these four forms:
account_name
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
The functionaity provided by the removed commands "net ads keytab
add/delete/add_update_ads" can be achieved via the 'sync machine password to
keytab' as in these examples:
"net ads keytab add wurst/brot@REALM"
- this command is not adding <principal> to AD, so the best fit can be specifier
"spns"
- add to smb.conf:
sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
- run:
"net ads keytab create"
"net ads keytab delete wurst/brot@REALM"
- remove the principal (or the whole keytab line if there was just one)
- run:
"net ads keytab create"
"net ads keytab add_update_ads wurst/brot@REALM"
- this command was adding the principal to AD, so for this case use a keytab
with specifier sync_spns
- add to smb.conf:
sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
- run:
"net ads setspn add wurst/brot@REALM" # this adds the principal to AD
"net ads keytab create" # this sync it from AD to local keytab
A new parameter 'sync machine password script' allows to specify external script
that will be triggered after the automatic keytab update. If keytabs should be
generated in clustered environments it is recommended to update them on all
nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and
46.update-keytabs.script in section 'sync machine password script' for details.
For detailed information check the smb.conf(5) and net(8) manpages.
New cephfs VFS module
Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead
of path-based operations in the existing module). It allows users to pass
explicit user-credentials per call (including supplementary groups), as well as
faster operations using inode and file-handle caching on the Samba side.
Configuration is identical to existing module, but using 'ceph_new' instead of
'ceph' for the relevant smb.conf entries. This new module is expected to
deprecate and replace the old one in next major release.
Group Managed Service Accounts
Samba 4.21 adds support for gMSAs (Group Managed Service Accounts),
completing support for Functional Level 2012.
The purpose of a gMSA is to allow a single host, or a cluster of
hosts, to share access to an automatically rotating password, avoiding
the weak static service passwords that are often the entrypoint of
attackers to AD domains. Each server has a strong and regularly
rotated password, which is used to access the gMSA account of (e.g.)
the database server.
Samba provides management and client tools, allowing services on Unix
hosts to access the current and next gMSA passwords, as well as obtain
a credentials cache.
Samba 4.20 announced the client-side tools for this feature. To avoid
duplication and provide consistency, the existing commands for
password viewing have been extended, so these commands operate both on
a gMSA (with credentials, over LDAP, specify -H) and locally for
accounts that have a compatible password (e.g. plaintext via GPG,
compatible hash)
samba-tool user getpassword
samba-tool user get-kerberos-ticket
samba-tool domain exportkeytab
An example command, which gets the NT hash for use with NTLM, is
samba-tool user getpassword -H ldap://server --machine-pass \
TestUser1 --attributes=unicodePwd
Kerberos is a better choice (gMSA accounts should not use LDAP simple
binds, for reasons of both security and compatibility). Use
samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \
TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache
gMSAs disclose a current and previous password. To access the previous
NT hash, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attrs=unicodePwd;previous=1
To access the previous password as UTF8, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attributes=pwdLastSet,virtualClearTextUTF8;previous=1
However, Windows tools for dealing with gMSAs tend to use Active
Directory Web Services (ADWS) from Powershell for setting up the
accounts, and this separate protocol is not supported by Samba 4.21.
Samba-tool commands for handling gMSA (KDS) root keys
Group managed service accounts rotate passwords based on root keys,
which can be managed using samba-tool, with commands such as
samba-tool domain kds root_key create
samba-tool domain kds root_key list
Samba will create a new root key for new domains at provision time,
but users of gMSA accounts on upgraded domains will need to first
create a root key.
RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC
The Heimdal KDC will recognise when a client provides proof that they
hold the hardware token used for smart-card authentication 'now' and
has not used a saved future-dated reply. Samba 4.21 now matches
Windows and will assign an extra SID to the user in this case,
allowing sensitive resources to be additionally protected.
Only Windows clients are known to support the client side of this
feature at this time.
New samba-tool Authentication Policy management command structure
As foreshadowed in the Samba 4.20 release notes, the "samba-tool
domain auth policy" commands have been reworked to be more intuitive
based on user feedback and reflection.
Support for key features of AD Domain/Forest Functional Level 2012R2
Combined with other changes in recent versions (such as claims support
in 4.20), Samba can now claim Functional Level 2012R2 support.
Build system
In previous versions of Samba, packagers of Samba would set their
package-specific version strings using a patch to the
SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is
achieved by using --vendor-suffix (at configure time), allowing this
to be more easily scripted. Vendors are encouraged to include their
name and full package version to assist with upstream debugging.
More deterministic builds
Samba builds are now more reproducible, providing better assurance
that the Samba binaries you run are the same as what is expected from
the source code. If locale settings are not changed, the same objects
will be produced from each compilation run. If Samba is built in a
different path, the object code will remain the same, but DWARF
debugging sections will change (while remaining functionally
equivalent).
Improved command-line redaction
There are several options that can be used with Samba tools for
specifying secrets. Although this is best avoided, when these options
are used, Samba will redact the secrets in /proc, so that they won't
be seen in ps or top. This is now carried out more thoroughly,
redacting more options. There is a race inherent in this, and the
passwords will be visible for a short time. The secrets are also not
removed from .bash_history and similar files.
REMOVED FEATURES
Following commands are removed:
net ads keytab add <principal>
net ads keytab delete <principal>
net ads keytab add_update_ads
Changes
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
client ldap sasl wrapping new values
client use spnego principal removed
ldap server require strong auth new values
tls trust system cas new
tls ca directories new
dns hostname client dns name [netbios name].[realm]
valid users Hardening
invalid users Hardening
read list Hardening
write list Hardening
veto files Added per-user and per-group vetos
hide files Added per-user and per-group hides
sync machine password to keytab keytabs
sync machine password script script
CHANGES SINCE 4.21.0rc4
* BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated.
* BUG 15702: Bad variable definition for ParseTuple causing test failure for
Smb3UnixTests.test_create_context_reparse.
* BUG 15686: Add new vfs_ceph module (based on low level API).
CHANGES SINCE 4.21.0rc3
* BUG 15698: samba-tool can not load the default configuration file.
* BUG 15700: Crash when readlinkat fails.
CHANGES SINCE 4.21.0rc2
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
* BUG 15696: Compound SMB2 requests don't return
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
MacOSX clients.
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
CHANGES SINCE 4.21.0rc1
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15686: Add new vfs_ceph module (based on low level API)
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15690: ldb_version.h is missing from ldb public library
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
* BUG 15686: Add new vfs_ceph module (based on low level API)
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15687: undefined reference to winbind_lookup_name_ex
* BUG 15688: per user veto and hide file syntax is to complex
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
* BUG 15688: per user veto and hide file syntax is to complex
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
32c667786c |
perl-JSON: removal of module as it is now in the perl core modules
- Used in the samba addon. - With the old separate module removed samba still successfully built, installed and was able to be run from the WUI. Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
05f7f6d76d |
samba: Update to version 4.20.4
- Update from version 4.20.2 to 4.20.4
- Successfully built samba on arm builder
- Update of rootfile for x86_64 & aarch64 not required.
- Changelog
4.20.4
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
4.20.3
* BUG 15683: Running samba-bgqd a a standalone systemd service does not work.
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
* BUG 15671: Invalid client warning about command line passwords.
* BUG 15672: Version string is truncated in manpages.
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15674: cmdline_burn does not always burn secrets.
* BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in
AD_DS_Classes_Windows_Server_v1903.ldf.
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
* BUG 15660: The images don\'t build after the git security release and
CentOS 8 Stream is EOL.
* BUG 15676: Fix clock skew error message and memory cache clock skew
recovery.
* BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in
init_sec_context/repl_mutual.
* BUG 15621: s4:ldap_server: does not support tls channel bindings
for sasl binds.
* BUG 15678: CTDB socket output queues may suffer unbounded delays under some
special conditions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
Michael Tremer
|
bf8abf549e |
samba: Fix rootfiles
The CGI script, the misc-progs helper and the menu entry were removed. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
b5befbc045 |
samba: Update to version 4.20.2
- Update from version 4.20.1 to 4.20.2
- Update of rootfile for both x86_64 and aarch64
- After doing a grep into the config directories I realised that the xxxMACHINExxx phrase
is only added into rootfiles in the main common or package directories and not in the
x86_64 and aarch64
- In the past I have submitted the samba rootfile with x86_64 replaced by xxxMACHINExxx.
It seems to have worked, so the replacement probably occurs even in the architecture
specific directories but it doesn't need to be used there as the directory is clearly
only for that one architecture.
- Changelog
4.20.2
* BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
* BUG 13213: Samba build is not reproducible.
* BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
function.
* BUG 15625: Many qsort() comparison functions are non-transitive, which can
lead to out-of-bounds access in some circumstances.
* BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
bill.
* BUG 15654: We have added new options --vendor-name and --vendor-patch-
revision arguments to ./configure to allow distributions and packagers to
put their name in the Samba version string so that when debugging Samba the
source of the binary is obvious.
* BUG 15665: CTDB RADOS mutex helper misses namespace support.
* BUG 13019: Dynamic DNS updates with the internal DNS are not working.
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
* BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
Windows Server 2022).
* BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
* BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd
can't use nmb requests instead cldap.
* BUG 15642: winbindd, net ads join and other things don't work on an ipv6
only host.
* BUG 15659: Segmentation fault when deleting files in vfs_recycle.
* BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
* BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
machine account.
* BUG 15435: Regression DFS not working with widelinks = true.
* BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
* BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted
domain lookups.
* BUG 15660: The images don't build after the git security release and CentOS
8 Stream is EOL.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
ed562f8dde |
samba: Update to version 4.20.1
- This v2 version increments the PAK_VER number
- Update from version 4.19.5 to 4.20.1
- Update of rootfile
- Changelog
4.20.1
* BUG 15630: dns update debug message is too noisy.
* BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
* BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
* BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
flag.
* BUG 15611: http library doesn't support 'chunked transfer encoding'.
* BUG 15600: Provide a systemd service file for the background queue daemon.
4.20.0
The changelog is too large to show here. Details can be found at
https://www.samba.org/samba/history/samba-4.20.0.html
I did not identify any changes related to how samba is configured in IPFire
4.19.6
* BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close().
* BUG 15588: samba-gpupdate: Correctly implement site support.
* BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close().
* BUG 15588: samba-gpupdate: Correctly implement site support.
* BUG 15599: libgpo: Segfault in python bindings.
* BUG 15580: Packet marshalling push support missing for
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
CTDB_CONTROL_TCP_CLIENT_PASSED.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
|
||
|
Adolf Belka
|
cb0488997b |
samba: Add wsdd as a dependency to samba
- Add wsdd as a dependency to samba so it will be installed together with samba Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
90ea6fac35 |
samba: Update to version 4.19.5
- Update from version 4.19.3 to 4.19.5
- Update of rootfile not required
- Changelog
4.19.5
* BUG 13688: Windows 2016 fails to restore previous version of a file from a
shadow_copy2 snapshot.
* BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before
that).
* BUG 12421: Fake directory create times has no effect.
* BUG 15550: ctime mixed up with mtime by smbd.
* BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.
* BUG 15557: gpupdate: The root cert import when NDES is not available is
broken.
* BUG 15552: samba-gpupdate should print a useful message if cepces-submit
can't be found.
* BUG 15558: samba-gpupdate logging doesn't work.
* BUG 15555: smbpasswd reset permissions only if not 0600.
4.19.4
* BUG 13577: net changesecretpw cannot set the machine account password if
secrets.tdb is empty.
* BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES.
* BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c.
* BUG 15542: vfs_linux_xfs is incorrectly named.
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
* BUG 15505: Following intermediate abolute share-local symlinks is broken.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15544: shadow_copy2 broken when current fileset's directories are
removed.
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel
exclusion.
* BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted
domains = no' is set.
* BUG 15525: smbget debug logging doesn't work.
* BUG 15532: smget: username in the smburl and interactive password entry
doesn't work.
* BUG 15538: smbget auth function doesn't set values for password prompt
correctly.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15440: Unable to copy and write files from clients to Ceph cluster via
SMB Linux gateway with Ceph VFS module.
* BUG 15547: Multichannel refresh network information.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
17cad1e885 |
samba: Update to version 4.19.3
- Update from version 4.19.2 to 4.19.3
- Update of rootfile not required
- I don't believe that the CVE from this version will affect IPFire users as Samba on
IPFire is not run as an Active Directory Domain Controller. That functionality was
removed some time ago.
- Changelog
4.19.3
This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bugfix CVE-2018-14628:
Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
allow read of object tombstones over LDAP
(Administrator action required!)
https://www.samba.org/samba/security/CVE-2018-14628.html
Description of CVE-2018-14628
All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.
When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
instead of being very strict (as on a Windows provisioned domain).
This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.
No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.
There is no further vulnerability associated with this error, merely an
information disclosure.
Action required in order to resolve CVE-2018-14628!
The patched Samba does NOT protect existing domains!
The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:
samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
Owner mismatch: SY (in ref) DA(in current)
Group mismatch: SY (in ref) DA(in current)
Part dacl is different between reference and current here is the detail:
(A;;LCRPLORC;;;AU) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
(A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
(A;;LCRP;;;BA) ACE is not present in the current
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.
Changes since 4.19.2
* BUG 15520: sid_strings test broken by unix epoch > 1700000000.
* BUG 15487: smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.
* BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor().
* BUG 15499: Improve logging for failover scenarios.
* BUG 15093: Files without "read attributes" NFS4 ACL permission are not
listed in directories.
* BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
AD LDAP to normal users.
* BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
accounts.
* BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
* BUG 15513: Samba doesn't build with Python 3.12
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
Matthias Fischer
|
e1a68c27a0 |
samba: Update to 4.19.2
For details see: v4.19.1. => https://www.samba.org/samba/history/samba-4.19.1.html " ============================== Release Notes for Samba 4.19.1 October 10, 2023 ============================== This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html" v4.19.2 => https://www.samba.org/samba/history/samba-4.19.2.html "Changes since 4.19.1 -------------------- o Jeremy Allison <jra@samba.org> * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE. * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown() call. o Ralph Boehme <slow@samba.org> * BUG 15463: macOS mdfind returns only 50 results. o Volker Lendecke <vl@samba.org> * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value. o Stefan Metzmacher <metze@samba.org> * BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more. o Martin Schwenke <mschwenke@ddn.com> * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs. o Joseph Sutton <josephsutton@catalyst.net.nz> * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19 * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is in use." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
d78109c511 |
samba: Update to version 4.19.0
- Update from version 2.18.5 to 2.19.0
- Update of rootfile for x86_64
- Changelog is too large to include here
4.19.0
See the WHATSNEW.txt file in the soiurce tarball
4.18.6
* BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
pointer.
* BUG 15430: Missing return in reply_exit_done().
* BUG 15289: post-exec password redaction for samba-tool is more reliable for
fully random passwords as it no longer uses regular expressions
containing the password value itself.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15342: Spotlight sometimes returns no results on latest macOS.
* BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
attempted to remove the destination.
* BUG 15427: Spotlight results return wrong date in result list.
* BUG 15414: "net offlinejoin provision" does not work as non-root user.
* BUG 15400: rpcserver no longer accepts double backslash in dfs pathname.
* BUG 15433: cm_prepare_connection() calls close(fd) for the second time.
* BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
bad message_id 2.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15435: Regression DFS not working with widelinks = true.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Michael Tremer
|
ee60ae9b0e |
samba: Bump package release
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
05fb9ba088 |
samba: Update to version 4.18.5
- Update from version 4.18.4 to 4.18.5
- Update of rootfile not required
- Changelog
4.18.5
This is a security release in order to address the following defects:
o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
crafted request can trigger an out-of-bounds read in winbind
and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html
o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
"server signing = required" or for SMB2 connections to Domain
Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html
o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
Spotlight can be triggered by an unauthenticated attacker by
issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html
o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
Spotlight can be used by an unauthenticated attacker to
trigger a process crash in a shared RPC mdssvc worker process.
https://www.samba.org/samba/security/CVE-2023-34967.html
o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
side absolute path of shares and files and directories in
search results.
https://www.samba.org/samba/security/CVE-2023-34968.html
o Ralph Boehme <slow@samba.org>
* BUG 15072: CVE-2022-2127.
* BUG 15340: CVE-2023-34966.
* BUG 15341: CVE-2023-34967.
* BUG 15388: CVE-2023-34968.
* BUG 15397: CVE-2023-3347.
o Volker Lendecke <vl@samba.org>
* BUG 15072: CVE-2022-2127.
o Stefan Metzmacher <metze@samba.org>
* BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
Arne Fitzenreiter
|
f82a4492c9 | samba: update to 4.18.4 | ||
|
Adolf Belka
|
23320dc554 |
samba: Update to version 4.18.1
- Update from version 4.17.5 to 4.18.1
- Update of rootfile
some libraries now use x86-64 instead of x86_64 but most are still left with x86_64
Good thing that we create a separate version of the rootfile for each architecture
because it is no longer just the arm version that is unique but also the x86_64 one.
- Since version 4.17.0 it has been possible to do a build excluding SMB1 server capability.
As SMB1 is insecure and has known exploits including ransomeware based ones it seems
reasonable to build samba without SMB1 server capability for use on a firewall.
The option to build wiythout SMB1 server capability has been added to the LFS file.
- Changelog
Release Notes for Samba 4.18.1
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.18.0
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.
More succinct samba-tool error messages
Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:
* a username or password is incorrect
* an ldb database filename is wrong (including in smb.conf)
* samba-tool dns: various zones or records do not exist
* samba-tool ntacl: certain files are missing
* the network seems to be down
* bad --realm or --debug arguments
Accessing the old samba-tool messages
This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
not for other output like error messages.
New samba-tool dsacl subcommand for deleting ACES
The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.
No colour with NO_COLOR environment variable
With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.
New wbinfo option --change-secret-at
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.
New option to change the NT ACL default location
Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default
acl_xattr:security_acl_name New security.NTACL
server addresses New
CHANGES SINCE 4.18.0rc4
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
CHANGES SINCE 4.18.0rc3
* BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
failure.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
CHANGES SINCE 4.18.0rc2
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
(tevent 0.14.1 and ldb 2.7.1 are already released...)
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
CHANGES SINCE 4.18.0rc1
* BUG 10635: Office365 azure Password Sync not working.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
Release Notes for Samba 4.17.7
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
allow full write to all attributes (additional changes).
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.17.6
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
Peter Müller
|
083950a0df |
samba: Bump package version
This is necessary, since the package version was already incremented to 91 in "master", due to the libtirpc changes in Core Update 173. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
e6b73f0b6b |
samba: Update to version 4.17.5
- Update from 4.17.4 to 4.17.5 - Update of rootfile not required - Changelog Release Notes for Samba 4.17.5 * BUG 14808: smbc_getxattr() return value is incorrect. * BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled correctly. * BUG 15210: synthetic_pathref AFP_AfpInfo failed errors. * BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find DC when there is only an AAAA record for the DC in DNS. * BUG 15236: smbd crashes if an FSCTL request is done on a stream handle. * BUG 15277: DFS links don't work anymore on Mac clients since 4.17. * BUG 15283: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value). * BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON (additional changes). * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15269: ctdb: use-after-free in run_proc. * BUG 15243: %U for include directive doesn't work for share listing (netshareenum). * BUG 15266: Shares missing from netshareenum response in samba 4.17.4. * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo. * BUG 15268: smbclient segfaults with use after free on an optimized build. * BUG 15282: smbstatus leaking files in msg.sock and msg.lock. * BUG 15164: Leak in wbcCtxPingDc2. * BUG 15265: Access based share enum does not work in Samba 4.16+. * BUG 15267: Crash during share enumeration. * BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer. * BUG 15281: Avoid relying on C89 features in a few places. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Adolf Belka
|
27dd10f8f3 |
samba: libtirpc removed from dependencies as now core package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
a3e50a3f6c |
samba: Update to version 4.17.4
- Update from version 4.17.3 to 4.17.4
- Update of rootfile (Only the x86_64 rootfile updated with this patch)
- Changelog
Release Notes for Samba 4.17.4
This is the latest stable release of the Samba 4.17 release series.
It also contains security changes in order to address the following defects:
o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
RC4-HMAC Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac
session keys for use between modern clients and servers
despite all modern Kerberos implementations supporting
the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members
'kerberos encryption types = legacy' would force
rc4-hmac as a client even if the server supports
aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
o CVE-2022-37967: This is the Samba CVE for the Windows
Kerberos Elevation of Privilege Vulnerability
disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained
delegation permission could forge a more powerful
ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
same algorithms as rc4-hmac cryptography in Kerberos,
and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
Note that there are several important behavior changes
included in this release, which may cause compatibility problems
interacting with system still expecting the former behavior.
Please read the advisories of CVE-2022-37966,
CVE-2022-37967 and CVE-2022-38023 carefully!
samba-tool got a new 'domain trust modify' subcommand
This allows "msDS-SupportedEncryptionTypes" to be changed
on trustedDomain objects. Even against remote DCs (including Windows)
using the --local-dc-ipaddress= (and other --local-dc-* options).
See 'samba-tool domain trust modify --help' for further details.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
allow nt4 crypto Deprecated no
allow nt4 crypto:COMPUTERACCOUNT New
kdc default domain supported enctypes New (see manpage)
kdc supported enctypes New (see manpage)
kdc force enable rc4 weak session keys New No
reject md5 clients New Default, Deprecated Yes
reject md5 servers New Default, Deprecated Yes
server schannel Deprecated Yes
server schannel require seal New, Deprecated Yes
server schannel require seal:COMPUTERACCOUNT New
winbind sealed pipes Deprecated Yes
Changes since 4.17.3
o Jeremy Allison <jra@samba.org>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15237: CVE-2022-37966.
* BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
o Ralph Boehme <slow@samba.org>
* BUG 15240: CVE-2022-38023.
* BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
o Stefan Metzmacher <metze@samba.org>
* BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
Windows.
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
vulnerability.
* BUG 15206: libnet: change_password() doesn't work with
dcerpc_samr_ChangePasswordUser4().
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15230: Memory leak in snprintf replacement functions.
* BUG 15237: CVE-2022-37966.
* BUG 15240: CVE-2022-38023.
* BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
(CVE-2021-20251 regression).
o Noel Power <noel.power@suse.com>
* BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
same size.
o Anoop C S <anoopcs@samba.org>
* BUG 15198: Prevent EBADF errors with vfs_glusterfs.
o Andreas Schneider <asn@samba.org>
* BUG 15237: CVE-2022-37966.
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15257: Stack smashing in net offlinejoin requestodj.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
* BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
* BUG 15231: CVE-2022-37967.
* BUG 15237: CVE-2022-37966.
o Nicolas Williams <nico@twosigma.com>
* BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
user-controlled pointer in FAST.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Adolf Belka
|
f805230df6 |
samba: Ship due to sobump from json-c update
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Adolf Belka
|
28c939b78f |
samba: Update to version 4.17.3
- Update from version 4.17.0 to 4.17.3
- Update of rootfile (x86_64) - other architectures will need to be adjusted.
- Changelog
Release Notes for Samba 4.17.3
This is a security release in order to address the following defects:
o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
integer overflows when parsing a PAC on a 32-bit system, which
allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15203: CVE-2022-42898
o Nicolas Williams <nico@twosigma.com>
* BUG 15203: CVE-2022-42898
Release Notes for Samba 4.17.2
This is a security release in order to address the following defects:
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
o CVE-2022-3592: A malicious client can use a symlink to escape the exported
directory.
https://www.samba.org/samba/security/CVE-2022-3592.html
o Volker Lendecke <vl@samba.org>
* BUG 15207: CVE-2022-3592.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
Release Notes for Samba 4.17.1
o Jeremy Allison <jra@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15174: smbXsrv_connection_shutdown_send result leaked.
* BUG 15182: Flush on a named stream never completes.
* BUG 15195: Permission denied calling SMBC_getatr when file not exists.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
* BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
o Ralph Boehme <slow@samba.org>
* BUG 15182: Flush on a named stream never completes.
o Volker Lendecke <vl@samba.org>
* BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
o Stefan Metzmacher <metze@samba.org>
* BUG 15200: multi-channel socket passing may hit a race if one of the
involved processes already existed.
* BUG 15201: memory leak on temporary of struct imessaging_post_state and
struct tevent_immediate on struct imessaging_context (in
rpcd_spoolss and maybe others).
o Noel Power <noel.power@suse.com>
* BUG 15205: Since popt1.19 various use after free errors using result of
poptGetArg are now exposed.
o Anoop C S <anoopcs@samba.org>
* BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
vfs_glusterfs.
o Andreas Schneider <asn@samba.org>
* BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Matthias Fischer
|
3e5190f5c7 |
samba: Update to 4.17.0
For details see: https://www.samba.org/samba/latest_news.html#4.17.0 This "just came my way" and I found the CVEs listed on https://www.samba.org/samba/history/security.html which address "All versions of Samba prior to 4.16.4" or "All versions of Samba" rather long. The 'glibc_headers' patch is now included. Sad to say, due to the lack of hardware I can only include the rootfile for x86_64. Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> |
||
|
Peter Müller
|
a15a758292 |
{libvirt,qemu,samba}: Bump package versions for glibc changes
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Michael Tremer
|
b621245815 |
samba: Fix build with glibc 2.36
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Peter Müller
|
21aac1a554 |
Samba: Update to 4.16.4
This is a security release, please refer to https://www.samba.org/samba/latest_news.html#4.16.4 for the respective advisory. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
Stefan Schantl
|
4fdd355880 |
krb5: Move package into core system.
On one hand, the key.dns_resolver binary is linked against libkrb5, so this library at least is required by the base system. On the other hand this easily allows different services on the firewall to use kerberos for authentication (ssh etc). Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> |
||
|
Adolf Belka
|
377ffa0811 |
samba: Ship with CU169
- samba is linked to liblber from openldap. openldap was updated in CU168 but I missed that samba had a dependency to one of its libraries. - find-dependencies was not run on openldap liblber although looking at the openldap rootfile it is clear that an sobump occurred. - This patch increments the samba PAK_VER so that it will be shipped and therefore have the library links updated. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
e8e8b6ae29 |
samba: Update to version 4.16.0
- Update from version 4.15.5 to 4.16.0
- Update of rootfile
- perl-JSON now added to samba requirements. Additional patch combined with this on for
install of perl-JSON
- Changelog
Release Notes for Samba 4.16.0
NEW FEATURES/CHANGES
New samba-dcerpcd binary to provide DCERPC in the member server setup
In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.
samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.
It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.
Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.
The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.
samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.
Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
implementation. This snapshot has now been updated and will closely
match what will be released as Heimdal 8.0 shortly.
This is a major update, previously we used a snapshot of Heimdal from
2011, and brings important new Kerberos security features such as
Kerberos request armoring, known as FAST. This tunnels ticket
requests and replies that might be encrypted with a weak password
inside a wrapper built with a stronger password, say from a machine
account.
In Heimdal and MIT modes Samba's KDC now supports FAST, for the
support of non-Windows clients.
Windows clients will not use this feature however, as they do not
attempt to do so against a server not advertising domain Functional
Level 2012. Samba users are of course free to modify how Samba
advertises itself, but use with Windows clients is not supported "out
of the box".
Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
the FAST protocol. A future version will align this more closely with
Microsoft AD behaviour.
If FAST needs to be disabled on your Samba KDC, set
kdc enable fast = no
in the smb.conf.
Certificate Auto Enrollment
Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.
Ability to add ports to dns forwarder addresses in internal DNS backend
The internal DNS server of Samba forwards queries non-AD zones to one or more
configured forwarders. Up until now it has been assumed that these forwarders
listen on port 53. Starting with this version it is possible to configure the
port using host:port notation. See smb.conf for more details. Existing setups
are not affected, as the default port is 53.
CTDB changes
* The "recovery master" role has been renamed "leader"
Documentation and logs now refer to "leader".
The following ctdb tool command names have changed:
recmaster -> leader
setrecmasterrole -> setleaderrole
Command output has changed for the following commands:
status
getcapabilities
The "[legacy] -> recmaster capability" configuration option has been
renamed and moved to the cluster section, so this is now:
[cluster] -> leader capability
* The "recovery lock" has been renamed "cluster lock"
Documentation and logs now refer to "cluster lock".
The "[cluster] -> recovery lock" configuration option has been
deprecated and will be removed in a future version. Please use
"[cluster] -> cluster lock" instead.
If the cluster lock is enabled then traditional elections are not
done and leader elections use a race for the cluster lock. This
avoids various conditions where a node is elected leader but can not
take the cluster lock. Such conditions included:
- At startup, a node elects itself leader of its own cluster before
connecting to other nodes
- Cluster filesystem failover is slow
The abbreviation "reclock" is still used in many places, because a
better abbreviation eludes us (i.e. "clock" is obvious bad) and
changing all instances would require a lot of churn. If the
abbreviation "reclock" for "cluster lock" is confusing, please
consider mentally prefixing it with "really excellent".
* CTDB now uses leader broadcasts and an associated timeout to
determine if an election is required
The leader broadcast timeout can be configured via new configuration
option
[cluster] -> leader timeout
This specifies the number of seconds without leader broadcasts
before a node calls an election. The default is 5.
REMOVED FEATURES
Older SMB1 protocol SMBCopy command removed
SMB is a nearly 30-year old protocol, and some protocol commands that
while supported in all versions, have not seen widespread use.
One of those is SMBCopy, a feature for a server-side copy of a file.
This feature has been so unmaintained that Samba has no testsuite for
it.
The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
in the NT LAN Manager dialect.
Therefore it has been removed from the Samba smbd server.
We do note that a fully supported and tested server-side copy is
present in SMB2, and can be accessed with "scopy" subcommand in
smbclient)
SMB1 server-side wildcard expansion removed
Server-side wildcard expansion is another feature that sounds useful,
but is also rarely used and has become problematic - imposing extra
work on the server (both in terms of code and CPU time).
In actual OS design, wildcard expansion is handled in the local shell,
not at the remote server using SMB wildcard syntax (which is not shell
syntax).
In Samba 4.16 the ability to process file name wildcards in requests
using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
command number 0x6) has been removed.
SMB1 protocol has been deprecated, particularly older dialects
We take this opportunity to remind that we have deprecated and
disabled by default, but not removed, the whole SMB1 protocol since
Samba 4.11. If needed for security purposes or code maintenance we
will continue to remove older protocol commands and dialects that are
unused or have been replaced in more modern SMB1 versions.
We specifically deprecate the older dialects older than "NT LM 0.12"
(also known as "NT LANMAN 1.0" and "NT1").
Please note that "NT LM 0.12" is the dialect used by software as old
as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
to DOS and similar era clients.
We do reassure that that 'simple' operation of older clients than
these (eg DOS) will, while untested, continue for the near future, our
purpose is not to cripple use of Samba in unique situations, but to
reduce the maintaince burden.
Eventually SMB1 as a whole will be removed, but no broader change is
announced for 4.16.
In the rare case where the above changes cause incompatibilities,
users requiring support for these features will need to use older
versions of Samba.
No longer using Linux mandatory locks for sharemodes
smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
was broken for a long time, and is planned to be removed with Linux 5.15. This
Samba release removes the usage of mandatory locks for sharemodes and the
"kernel share modes" config parameter is changed to default to "no". The Samba
VFS interface is kept, so that file-system specific VFS modules can still use
private calls for enforcing sharemodes.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
kernel share modes New default No
dns forwarder Changed
rpc_daemon Removed
rpc_server Removed
rpc start on demand helpers Added true
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Peter Müller
|
9a7e4d8506 |
Switch checksums from MD5 to BLAKE2
Historically, the MD5 checksums in our LFS files serve as a protection against broken downloads, or accidentally corrupted source files. While the sources are nowadays downloaded via HTTPS, it make sense to beef up integrity protection for them, since transparently intercepting TLS is believed to be feasible for more powerful actors, and the state of the public PKI ecosystem is clearly not helping. Therefore, this patch switches from MD5 to BLAKE2, updating all LFS files as well as make.sh to deal with this checksum algorithm. BLAKE2 is notably faster (and more secure) than SHA2, so the performance penalty introduced by this patch is negligible, if noticeable at all. In preparation of this patch, the toolchain files currently used have been supplied with BLAKE2 checksums as well on https://source.ipfire.org/. Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremeripfire.org> |
||
Robin Roevens
|
f15707c78c |
buildprocess: Add extra metadata to pak lfs files
* Add a Summary and Services field to all pak lfs files * Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS macro in all pak lfs files. Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
61d7aaa3ef |
samba: Update to version 4.15.5
- Update from 4.14.6 to 4.15.5
- Update of rootfile
- Changelog is too long to include everything. Full details can be found in the
WHATSNEW.txt file in the source tarball. The following highlights those releases
that were security releases. The other releases had a range of bug fixes.
4.15.5 is a security release and includes the following CVE fixes
o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
of a symlink exists.
https://www.samba.org/samba/security/CVE-2021-44141.html
o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
https://www.samba.org/samba/security/CVE-2021-44142.html
o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
https://www.samba.org/samba/security/CVE-2022-0336.html
4.15.2 was a security release and included the following CVE fixes
o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
authentication.
https://www.samba.org/samba/security/CVE-2016-2124.html
o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
(PLEASE READ! There are important behaviour changes described)
o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
by an RODC.
https://www.samba.org/samba/security/CVE-2020-25718.html
o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
tickets.
https://www.samba.org/samba/security/CVE-2020-25719.html
o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
(eg objectSid).
https://www.samba.org/samba/security/CVE-2020-25721.html
o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
checking of data stored.
https://www.samba.org/samba/security/CVE-2020-25722.html
o CVE-2021-3738: Use after free in Samba AD DC RPC server.
https://www.samba.org/samba/security/CVE-2021-3738.html
o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
https://www.samba.org/samba/security/CVE-2021-23192.html
4.14.12 was a security release and included the following CVE fixes
o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
https://www.samba.org/samba/security/CVE-2021-44142.html
o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
https://www.samba.org/samba/security/CVE-2022-0336.html
4.14.10 was a security release and included the following CVE fixes
o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
authentication.
https://www.samba.org/samba/security/CVE-2016-2124.html
o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
(PLEASE READ! There are important behaviour changes described)
o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
by an RODC.
https://www.samba.org/samba/security/CVE-2020-25718.html
o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
tickets.
https://www.samba.org/samba/security/CVE-2020-25719.html
o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
(eg objectSid).
https://www.samba.org/samba/security/CVE-2020-25721.html
o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
checking of data stored.
https://www.samba.org/samba/security/CVE-2020-25722.html
o CVE-2021-3738: Use after free in Samba AD DC RPC server.
https://www.samba.org/samba/security/CVE-2021-3738.html
o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
https://www.samba.org/samba/security/CVE-2021-23192.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
|
||
|
Arne Fitzenreiter
|
812faee44d |
samba: update rootfiles
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Adolf Belka
|
c4df0637a4 |
samba: Update version to 4.14.6
- Update from 4.14.4 to 4.14.6
- Update of rootfile not required
- Changelog
Release Notes for Samba 4.14.6
* BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
* BUG 14732: smbd: Fix pathref unlinking in create_file_unixpath().
* BUG 14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
* BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
change_file_owner_to_parent() error path.
* BUG 14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
glusterfs VFS module.
* BUG 14734: s3/modules: fchmod: Fallback to path based chmod if pathref.
* BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
* BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
* BUG 14752: smbXsrv_{open,session,tcon}: protect
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
* BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
backend.
* BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
restoring a backup.
Release Notes for Samba 4.14.5
* BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
* BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
Windows ACL for directory handles.
* BUG 14721: s3: smbd: Fix uninitialized memory read in
process_symlink_open() when used with vfs_shadow_copy2().
* BUG 14689: docs: Expand the "log level" docs on audit logging.
* BUG 14714: smbd: Correctly initialize close timestamp fields.
* BUG 14699: Fix gcc11 compiler issues.
* BUG 14718: docs-xml: Update smbcacls manpage.
* BUG 14719: docs: Update list of available commands in rpcclient.
* BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
* BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be
set.
* BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
|
||
|
Michael Tremer
|
f1fc2193a7 |
Bump release of all packages with CGI files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
b33473414d |
samba: Update to 4.14.4
- Update from 4.14.3 to 4.14.4
- Update of rootfile not required
- Changelog
Release Notes for Samba 4.14.4 April 29, 2021
This is a security release in order to address the following defect:
o CVE-2021-20254: Negative idmap cache entries can cause incorrect
group entries in the Samba file server process token.
Details
o CVE-2021-20254:
The Samba smbd file server must map Windows group identities (SIDs) into unix
group ids (gids). The code that performs this had a flaw that could allow it
to read data beyond the end of the array in the case where a negative cache
entry had been added to the mapping cache. This could cause the calling code
to return those values into the process token that stores the group
membership for a user.
Most commonly this flaw caused the calling code to crash, but an alert user
(Peter Eriksson, IT Department, Linköping University) found this flaw by
noticing an unprivileged user was able to delete a file within a network
share that they should have been disallowed access to.
Analysis of the code paths has not allowed us to discover a way for a
remote user to be able to trigger this flaw reproducibly or on demand,
but this CVE has been issued out of an abundance of caution.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
31daeebd00 |
samba: Update to 4.14.3
- Update from 4.13.7 to 4.14.3
Change to Samba 4.14 release series
4.13 is now in maintenance mode
4.14 is now the current stable release series
- Update of x86_64 rootfile
- Checked library changes with find-dependencies
No linked programs found
- Changelog
o Trever L. Adams <trever.adams@gmail.com>
* BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break
vfs_virusfilter_openat.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14586: build: Notice if flex is missing at configure time.
o Ralph Boehme <slow@samba.org>
* BUG 14672: Fix smbd panic when two clients open same file.
* BUG 14675: Fix memory leak in the RPC server.
* BUG 14679: s3: smbd: fix deferred renames.
o Samuel Cabrero <scabrero@samba.org>
* BUG 14675: s3-iremotewinspool: Set the per-request memory context.
o Volker Lendecke <vl@samba.org>
* BUG 14675: Fix memory leak in the RPC server.
o Stefan Metzmacher <metze@samba.org>
* BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
* BUG 14640: third_party: Update socket_wrapper to version 1.3.3.
o David Mulder <dmulder@suse.com>
* BUG 14665: samba-gpupdate: Test that sysvol paths download in
case-insensitive way.
o Sachin Prabhu <sprabhu@redhat.com>
* BUG 14662: smbd: Ensure errno is preserved across fsp destructor.
o Christof Schmitt <cs@samba.org>
* BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
conflict.
o Martin Schwenke <martin@meltin.net>
* BUG 14288: build: Only add -Wl,--as-needed when supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
da3edeeecf |
samba: Update to 4.13.7
- Update from 4.13.4 to 4.13.7
- Update of x68_64 rootfile
- Changelog
Release Notes for Samba 4.13.7 March 24, 2021
This is a security release in order to address the following defects:
o CVE-2020-27840:
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
crafted DNs as part of a bind request. More serious heap corruption is likely
also possible.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
bad DNs.
o CVE-2021-20277:
User-controlled LDAP filter strings against the AD DC LDAP server may crash
the LDAP server.
Andrew Bartlett <abartlet@samba.org>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Release Notes for Samba 4.13.5 March 09, 2021
This is the latest stable release of the Samba 4.13 release series.
o Trever L. Adams <trever.adams@gmail.com>
* BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
start-up failure.
o Jeremy Allison <jra@samba.org>
* BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
setup failed on temp proxy connection.
* BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
force a full reload of services.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
expired tombstones.
o Ralph Boehme <slow@samba.org
* BUG 14503: s3: Fix fcntl waf configure check.
* BUG 14602: s3/auth: Implement "winbind:ignore domains".
* BUG 14617: smbd: Use fsp->conn->session_info for the initial
delete-on-close token.
o Peter Eriksson <pen@lysator.liu.se>
* BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
path.
o Björn Jacke <bj@sernet.de>
* BUG 14624: classicupgrade: Treat old never expires value right.
o Volker Lendecke <vl@samba.org>
* BUG 14636: g_lock: Fix uninitalized variable reads.
o Stefan Metzmacher <metze@samba.org>
* BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
o Andreas Schneider <asn@samba.org>
* BUG 14625: lib:util: Avoid free'ing our own pointer.
o Paul Wise <pabs3@bonedaddy.net>
* BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Michael Tremer
|
e514d67f8e |
samba: Update to 4.13.4
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
37fe3658a0 |
samba: Add helper script to pipe password
It is complicated to set the password in the C helper binary. Therefore it is being set by a helper script. This is still not an optimal solution since the password might be exposed to the shell environment, but has the advantage that shell command injection is no longer possible. Fixes: #12562 Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Arne Fitzenreiter
|
31cbb589d9 |
samba: remove pid at killproc in initscript
sometime a stale nmbd or smbd process prevent start of samba. this change should kill all processes. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Michael Tremer
|
1e2c442c9e |
samba: Add support for custom configuration changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Arne Fitzenreiter
|
632075bf57 |
samba: update to 4.13.1
This is a security release in order to address CVE-2020-14318 (Missing handle permissions check in SMB1/2/3 ChangeNotify), CVE-2020-14323 (Unprivileged user can crash winbind) and CVE-2020-14383 (An authenticated user can crash the DCE/RPC DNS with easily crafted records). Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
74fd04c335 |
samba: Bump package release
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
a5aba922a8 |
samba: Bump package version
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
be1554336d |
samba: Export all printers from CUPS
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
5aa5f6777a |
samba: Remove reset options
This only requires that we have to change multiple files with the same settings. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
13e455aec7 |
samba: Log to syslog
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
391540d9d8 |
samba: Link against avahi
We should use avahi to announce file sharing services to the network using mDNS, too. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Arne Fitzenreiter
|
1dd31d858e |
samba: update to 4.13.0
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
2dc2a27803 |
lfs: Drop quotes in DEPS variable
Not sure why this has ever been there. This simply makes it nicer to read and edit because we can have line-breaks now. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |