Bug 21482 - samba new security issue CVE-2017-11103
Summary: samba new security issue CVE-2017-11103
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory mga6-32-ok mga6-64-ok
Keywords: validated_update
Depends on:
Reported: 2017-08-10 01:20 CEST by David Walser
Modified: 2017-09-03 16:32 CEST (History)
7 users (show)

See Also:
Source RPM: samba-4.6.5-1.mga6.src.rpm
Status comment:


Description David Walser 2017-08-10 01:20:15 CEST
Ubuntu has issued an advisory on July 14:

It looks like the samba package in Mageia 6 may have been switched to use the embedded Heimdal Kerberos at some point, but I'm not entirely sure as MIT krb5 is still in the BuildRequires.  I'm also not sure if switching it to the embedded Heimdal Kerberos was our intent.

The upstream advisory is here:

It's fixed in 4.6.6:

4.6.7 fixes additional bugs:
Comment 1 Nicolas Lécureuil 2017-08-10 13:10:37 CEST
pushed in updates_testing.

         - samba-4.6.7-1.mga6

Assignee: mageia => qa-bugs

Comment 2 David Walser 2017-08-10 15:21:37 CEST
Nicolas, so what's the story on the Kerberos for Samba 4 in Mageia 6?  Is it supposed to be built against the system MIT krb5 or with the bundled Heimdal?  Why?  If we're going to use Heimdal, can it build against the system one?

CC: (none) => mageia
Whiteboard: (none) => feedback

Comment 3 David Walser 2017-08-10 16:46:24 CEST
Packages built for this update:

from samba-4.6.7-1.mga6.src.rpm
Comment 4 Nicolas Lécureuil 2017-08-11 23:30:58 CEST
(In reply to David Walser from comment #2)
> Nicolas, so what's the story on the Kerberos for Samba 4 in Mageia 6?  Is it
> supposed to be built against the system MIT krb5 or with the bundled
> Heimdal?  Why?  If we're going to use Heimdal, can it build against the
> system one?

let's try this on cauldron first

Whiteboard: feedback => (none)

Comment 5 David Walser 2017-08-13 16:05:43 CEST

Updated samba packages fix security vulnerability:

Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Samba
clients incorrectly trusted unauthenticated portions of Kerberos tickets. A
remote attacker could use this to impersonate trusted network servers or
perform other attacks (CVE-2017-11103).

The samba package has been updated to version 4.6.7, fixing this issue and
several other bugs.

Comment 6 Lewis Smith 2017-08-20 10:54:46 CEST
Advisory from comments 3 & 5.

Whiteboard: (none) => advisory

Comment 7 Brian Rockwell 2017-08-30 22:39:13 CEST
uname -a
Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 16:29:48 UTC 2017 i686 i686 i686 GNU/Linux

installed the following

The following 25 packages are going to be installed:

- libaio1-0.3.110-4.mga6.i586
- libkdc-samba4_2-4.6.7-1.mga6.i586
- libpyldb-util1-1.1.29-1.mga6.i586
- libsamba-dc0-4.6.7-1.mga6.i586
- libsamba-test0-4.6.7-1.mga6.i586
- libsamba1-4.6.7-1.mga6.i586
- libsmbclient0-4.6.7-1.mga6.i586
- libwbclient0-4.6.7-1.mga6.i586
- perl-Parse-Yapp-1.50.0-8.mga6.noarch
- python-ldb-1.1.29-1.mga6.i586
- python-samba-4.6.7-1.mga6.i586
- python-talloc-2.1.9-1.mga6.i586
- python-tdb-1.3.13-1.mga6.i586
- python-tevent-0.9.31-1.mga6.i586
- samba-4.6.7-1.mga6.i586
- samba-client-4.6.7-1.mga6.i586
- samba-common-4.6.7-1.mga6.i586
- samba-dc-4.6.7-1.mga6.i586
- samba-krb5-printing-4.6.7-1.mga6.i586
- samba-pidl-4.6.7-1.mga6.noarch
- samba-test-4.6.7-1.mga6.i586
- samba-winbind-4.6.7-1.mga6.i586
- samba-winbind-clients-4.6.7-1.mga6.i586
- samba-winbind-krb5-locator-4.6.7-1.mga6.i586
- samba-winbind-modules-4.6.7-1.mga6.i586

41MB of additional disk space will be used.

13MB of packages will be retrieved.

Is it ok to continue?


tried making it work through our utilities, also tried updating with caja utilities.

seems samba has debrecated the line
security = share

It now only seems to accept 
security = user

journalctl -xe reveals

Aug 30 15:31:56 localhost systemd[1]: Starting Samba SMB Daemon...
-- Subject: Unit smb.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit smb.service has begun starting up.
Aug 30 15:31:57 localhost systemd[1]: smb.service: Main process exited, code=exi
Aug 30 15:31:57 localhost systemd[1]: Failed to start Samba SMB Daemon.
-- Subject: Unit smb.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit smb.service has failed.
-- The result is failed.
Aug 30 15:31:57 localhost systemd[1]: smb.service: Unit entered failed state.
Aug 30 15:31:57 localhost systemd[1]: smb.service: Failed with result 'exit-code

I change the security = user and it will start, but not sure if that's useful to me.

Keywords: (none) => NEEDHELP
CC: (none) => brtians1

Brian Rockwell 2017-08-30 22:40:15 CEST

Whiteboard: advisory => advisory feedback
Keywords: NEEDHELP => (none)

Comment 8 Zombie Ryushu 2017-08-30 23:12:33 CEST
Share mode isn't really supported in Samba 4.
Comment 9 Brian Rockwell 2017-08-31 03:23:24 CEST
That's fair, but our utilities build the smb.conf with security = share as an apparent default.

That is an issue as it is not longer compatible.  It creates a non-functioning share.

We need to fix the utilities building and administering the smb.conf file.

FYI - by hand editing I was able to get a Samba share working.


Translation - fix utilities and bundle them with Samba.
Comment 10 David Walser 2017-08-31 03:25:28 CEST
The drakxtools are a separate issue and will need to be handled in its own update.
David Walser 2017-08-31 03:25:47 CEST

Whiteboard: advisory feedback => advisory

Comment 11 Brian Rockwell 2017-08-31 04:15:10 CEST
Fair enough, but someone please make this a priority.  The change from share to user seems to be simple.
Comment 12 Brian Rockwell 2017-08-31 04:15:30 CEST
Fair enough, but someone please make this a priority.  The change from share to user seems to be simple.
Comment 13 Lewis Smith 2017-08-31 22:11:52 CEST
Unsure about this. If the smb.conf 'security' problem exists simply by installing Samba from issued repos on M6, it is not related to this update (behaves same as before it) which can be OK'd.

Clearly if this problem only shows after the update, it is no good. But I do not think this is the case.
It looks to me as if Brian installed Samba directly from Updates Testing. If so, this is seldom a good idea since it does not test the update process itself; nor (as here) whether a problem existed before the update anyway.

So if anyone else tries this one, please install (or have already) Samba first from normal repos, get it working (note Brian's 'security' correction share->user)); then update it and check that it still works.

CC: (none) => lewyssmith

Comment 14 Brian Rockwell 2017-08-31 23:06:23 CEST
Installed with security=user from the utility (4.6.5).

I then went back and patched to 4.6.7.

restarted services - working as designed on 64-bit.

$ uname -a
Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Whiteboard: advisory => advisory mga6-32-ok mga6-64-ok

Comment 15 Len Lawrence 2017-09-01 08:14:14 CEST
Looking at this but have to read the manual first.  After several hours trying to set things up via draksamba I am nowhere near setting up the shares.  The smb server is running on three machines for one user.

CC: (none) => tarazed25

Comment 16 Len Lawrence 2017-09-01 11:39:54 CEST
Using 'security = user'
smb started on one machine.
Copied the smb.conf to another machine and smb failed:
STATUS=daemon failed to start: Samba detected misconfigured 'server role' 
Probably need to change one of the parameters but don't know what to look for.
Comment 17 Len Lawrence 2017-09-01 12:00:03 CEST
Nope.  It was a permissions problem.
@lewis: pre-updates had no idea how to setup shares but the conf file had security=user set.
After the update it still works with security=user

So, cannot answer your question unless I try it on a third machine before samba is updated.
Comment 18 Len Lawrence 2017-09-01 14:14:56 CEST
Tried that and now all my samba shares have vanished.  Sigh!
Comment 19 James Kerr 2017-09-01 15:43:09 CEST
When I set up samba on mga6-64, draksambashare offered security=user as the default. It does continue to offer the deprecated security=share as an option. (I confirmed this by setting up samba on mga6-32 in a vbox VM using the updated packages.) This issue is discussed in bug#21117.

I only use samba for simple file sharing and have only one share defined. After updating these packages I continue to have read/write access to the share from other systems, including win7 (in a vbox VM).

CC: (none) => jim

Comment 20 Lewis Smith 2017-09-01 21:21:19 CEST
@ Len : really sorry for your head-banging in vain. Not intended.
@ James : thanks for your test; and important note on the 'security' issue.
@ Brian : "on mga6-64, draksambashare offered security=user as the default."
Which is as it should be.
If you find that any other Mageia Samba utility does otherwise, can you (if you did not already) raise a bug for *that*?

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 21 Brian Rockwell 2017-09-01 22:24:42 CEST
bug#21117 was already submitted.

I also tried to administer through a caja extension which failed.  I can look to see if it messes up that setting.

Comment 22 Nicolas Lécureuil 2017-09-01 22:49:58 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (5/core/samba-4.6.7-1.mga6) 

'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 23 David Walser 2017-09-01 23:22:45 CEST
(In reply to Nicolas Lécureuil from comment #22)
> Update ID assignment failed
> Checking for QA validation keyword⦠  â
> Checking dependent bugs⦠             â (None found)
> Checking SRPMs⦠                      â (5/core/samba-4.6.7-1.mga6) 
> 'validated_update' keyword reset.

Fixed.  Please don't remove validated_update when this happens; remove advisory from the whiteboard instead.  Thanks.

Keywords: (none) => validated_update

Comment 24 Mageia Robot 2017-09-03 16:32:24 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.