Bug 18459

Summary: Samba regression with server signing = default (with CVE-2016-2115)
Product: Mageia Reporter: Stefan Puch <s.puch>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, marja11
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: samba-3.6.25-2.3.mga5 CVE:
Status comment:

Description Stefan Puch 2016-05-15 00:15:56 CEST 
Description of problem:
The last security update for samba server introduced a new parameter 'client ipc signing' with a default to mandatory (compare https://www.samba.org/samba/security/CVE-2016-2115.html)
While the default for 'server signing = false' it leads to the situation that that a client which tries a RPC connection to a PDC will fail because the server doesn't support signing!

Using rpcclient to connect to a local server will fail like this:
cli_negprot: SMB signing is mandatory and the server doesn't support it.
failed negprot: NT_STATUS_ACCESS_DENIED
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

Setting 'server singing = auto' will solve that problem for rpcclient but may introduce other problems with e.g. windows clients:
When connecting with a Win7 client using user nobody (default for guest access) to a samba share the client will fail with the following error:
[2016/05/14 23:30:27.403950,  1] smbd/service.c:1114(make_connection_snum)
  vm-buero (192.168.39.10) connect to service austausch initially as user nobody (uid=65534, gid=600) (pid 27161)
[2016/05/14 23:30:27.404507,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 192.168.39.10 read error = NT_STATUS_CONNECTION_RESET.
[2016/05/14 23:30:27.404946,  1] smbd/service.c:1378(close_cnum)
  vm-buero (192.168.39.10) closed connection to service austausch


The only work around I found so far is to set 'client ipc signing = auto' which 
reduces the security for SMB signing from mandatory to offered but as the server signing is still disabled by default no signing is used....

The first part (regarding the regression) is also discussed upstream and seems to affect onyl samba 3.6 and older:
"It is only a problem with 3.6 and older, where we didn't implenent
the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED logic."
Source: http://comments.gmane.org/gmane.network.samba.internals/90769

Unfortunately I found no reason / explanation why a Win7 client cannot connect using user = nobody with 'server singing = auto'. IMHO it should be possible because to manpage 'auto' means "SMB1 signing is offered, but not enforced." 

At least I'm not the only one with that problem, I found another report in debian forum unfortunately in German (https://debianforum.de/forum/viewtopic.php?f=9&t=160557). While that is for samba 4.2 it is due to the samba update fixing CVE-2016-2115
Comment 1 Stefan Puch 2016-05-15 08:24:57 CEST 
I just saw, that this may be a duplicate of Bug 18379. I will try the updated packages in core/updates_testing ASAP.
Comment 2 Stefan Puch 2016-05-15 14:12:37 CEST 
OK installed updated packages from update_testing

# rpm -qa | grep samba
samba-common-3.6.25-2.4.mga5
samba-client-3.6.25-2.4.mga5
samba-server-3.6.25-2.4.mga5
#

Unfortunately it doesn't change anything to my description above.
Comment 3 Marja Van Waes 2016-05-15 22:58:04 CEST 
ly it doesn't change anything to my description above.

(In reply to Stefan Puch from comment #1)
> I just saw, that this may be a duplicate of Bug 18379. I will try the
> updated packages in core/updates_testing ASAP.

(In reply to Stefan Puch from comment #2)
> OK installed updated packages from update_testing
> 
> # rpm -qa | grep samba
> samba-common-3.6.25-2.4.mga5
> samba-client-3.6.25-2.4.mga5
> samba-server-3.6.25-2.4.mga5
> #
> 
> Unfortunately it doesn't change anything to my description above.

@ David Walser

Can you please decide what to do with this bug report?

CC: (none) => luigiwalser, marja11

Marja Van Waes 2016-05-15 22:58:18 CEST

Summary: Samba regression with sever signing = default (with CVE-2016-2115) => Samba regression with server signing = default (with CVE-2016-2115)

Comment 4 David Walser 2016-05-15 23:01:24 CEST 
Dup

*** This bug has been marked as a duplicate of bug 18379 ***

Status: NEW => RESOLVED
Resolution: (none) => DUPLICATE