Ubuntu has issued an advisory on July 14: https://usn.ubuntu.com/usn/usn-3353-2/ It looks like the samba package in Mageia 6 may have been switched to use the embedded Heimdal Kerberos at some point, but I'm not entirely sure as MIT krb5 is still in the BuildRequires. I'm also not sure if switching it to the embedded Heimdal Kerberos was our intent. The upstream advisory is here: https://www.samba.org/samba/security/CVE-2017-11103.html It's fixed in 4.6.6: https://www.samba.org/samba/history/samba-4.6.6.html 4.6.7 fixes additional bugs: https://www.samba.org/samba/history/samba-4.6.7.html
pushed in updates_testing. src.rpm: - samba-4.6.7-1.mga6
Assignee: mageia => qa-bugs
Nicolas, so what's the story on the Kerberos for Samba 4 in Mageia 6? Is it supposed to be built against the system MIT krb5 or with the bundled Heimdal? Why? If we're going to use Heimdal, can it build against the system one?
CC: (none) => mageiaWhiteboard: (none) => feedback
Packages built for this update: samba-4.6.7-1.mga6 samba-client-4.6.7-1.mga6 samba-common-4.6.7-1.mga6 samba-dc-4.6.7-1.mga6 libsamba-dc0-4.6.7-1.mga6 libkdc-samba4_2-4.6.7-1.mga6 libsamba-devel-4.6.7-1.mga6 samba-krb5-printing-4.6.7-1.mga6 libsamba1-4.6.7-1.mga6 libsmbclient0-4.6.7-1.mga6 libsmbclient-devel-4.6.7-1.mga6 libwbclient0-4.6.7-1.mga6 libwbclient-devel-4.6.7-1.mga6 python-samba-4.6.7-1.mga6 samba-pidl-4.6.7-1.mga6 samba-test-4.6.7-1.mga6 libsamba-test0-4.6.7-1.mga6 samba-winbind-4.6.7-1.mga6 samba-winbind-clients-4.6.7-1.mga6 samba-winbind-krb5-locator-4.6.7-1.mga6 samba-winbind-modules-4.6.7-1.mga6 ctdb-4.6.7-1.mga6 ctdb-tests-4.6.7-1.mga6 from samba-4.6.7-1.mga6.src.rpm
(In reply to David Walser from comment #2) > Nicolas, so what's the story on the Kerberos for Samba 4 in Mageia 6? Is it > supposed to be built against the system MIT krb5 or with the bundled > Heimdal? Why? If we're going to use Heimdal, can it build against the > system one? let's try this on cauldron first
Whiteboard: feedback => (none)
Advisory: ======================== Updated samba packages fix security vulnerability: Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Samba clients incorrectly trusted unauthenticated portions of Kerberos tickets. A remote attacker could use this to impersonate trusted network servers or perform other attacks (CVE-2017-11103). The samba package has been updated to version 4.6.7, fixing this issue and several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 https://www.samba.org/samba/security/CVE-2017-11103.html https://www.samba.org/samba/history/samba-4.6.6.html https://www.samba.org/samba/history/samba-4.6.7.html https://usn.ubuntu.com/usn/usn-3353-2/
Advisory from comments 3 & 5.
Whiteboard: (none) => advisory
uname -a Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 16:29:48 UTC 2017 i686 i686 i686 GNU/Linux installed the following The following 25 packages are going to be installed: - libaio1-0.3.110-4.mga6.i586 - libkdc-samba4_2-4.6.7-1.mga6.i586 - libpyldb-util1-1.1.29-1.mga6.i586 - libsamba-dc0-4.6.7-1.mga6.i586 - libsamba-test0-4.6.7-1.mga6.i586 - libsamba1-4.6.7-1.mga6.i586 - libsmbclient0-4.6.7-1.mga6.i586 - libwbclient0-4.6.7-1.mga6.i586 - perl-Parse-Yapp-1.50.0-8.mga6.noarch - python-ldb-1.1.29-1.mga6.i586 - python-samba-4.6.7-1.mga6.i586 - python-talloc-2.1.9-1.mga6.i586 - python-tdb-1.3.13-1.mga6.i586 - python-tevent-0.9.31-1.mga6.i586 - samba-4.6.7-1.mga6.i586 - samba-client-4.6.7-1.mga6.i586 - samba-common-4.6.7-1.mga6.i586 - samba-dc-4.6.7-1.mga6.i586 - samba-krb5-printing-4.6.7-1.mga6.i586 - samba-pidl-4.6.7-1.mga6.noarch - samba-test-4.6.7-1.mga6.i586 - samba-winbind-4.6.7-1.mga6.i586 - samba-winbind-clients-4.6.7-1.mga6.i586 - samba-winbind-krb5-locator-4.6.7-1.mga6.i586 - samba-winbind-modules-4.6.7-1.mga6.i586 41MB of additional disk space will be used. 13MB of packages will be retrieved. Is it ok to continue? --------- tried making it work through our utilities, also tried updating with caja utilities. seems samba has debrecated the line security = share It now only seems to accept security = user journalctl -xe reveals Aug 30 15:31:56 localhost systemd[1]: Starting Samba SMB Daemon... -- Subject: Unit smb.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit smb.service has begun starting up. Aug 30 15:31:57 localhost systemd[1]: smb.service: Main process exited, code=exi Aug 30 15:31:57 localhost systemd[1]: Failed to start Samba SMB Daemon. -- Subject: Unit smb.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit smb.service has failed. -- -- The result is failed. Aug 30 15:31:57 localhost systemd[1]: smb.service: Unit entered failed state. Aug 30 15:31:57 localhost systemd[1]: smb.service: Failed with result 'exit-code I change the security = user and it will start, but not sure if that's useful to me.
Keywords: (none) => NEEDHELPCC: (none) => brtians1
Whiteboard: advisory => advisory feedbackKeywords: NEEDHELP => (none)
Share mode isn't really supported in Samba 4.
That's fair, but our utilities build the smb.conf with security = share as an apparent default. That is an issue as it is not longer compatible. It creates a non-functioning share. We need to fix the utilities building and administering the smb.conf file. FYI - by hand editing I was able to get a Samba share working. --- Translation - fix utilities and bundle them with Samba.
The drakxtools are a separate issue and will need to be handled in its own update.
Whiteboard: advisory feedback => advisory
Fair enough, but someone please make this a priority. The change from share to user seems to be simple.
Unsure about this. If the smb.conf 'security' problem exists simply by installing Samba from issued repos on M6, it is not related to this update (behaves same as before it) which can be OK'd. Clearly if this problem only shows after the update, it is no good. But I do not think this is the case. It looks to me as if Brian installed Samba directly from Updates Testing. If so, this is seldom a good idea since it does not test the update process itself; nor (as here) whether a problem existed before the update anyway. So if anyone else tries this one, please install (or have already) Samba first from normal repos, get it working (note Brian's 'security' correction share->user)); then update it and check that it still works.
CC: (none) => lewyssmith
Installed with security=user from the utility (4.6.5). I then went back and patched to 4.6.7. restarted services - working as designed on 64-bit. $ uname -a Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Whiteboard: advisory => advisory mga6-32-ok mga6-64-ok
@lewis Looking at this but have to read the manual first. After several hours trying to set things up via draksamba I am nowhere near setting up the shares. The smb server is running on three machines for one user.
CC: (none) => tarazed25
Using 'security = user' smb started on one machine. Copied the smb.conf to another machine and smb failed: STATUS=daemon failed to start: Samba detected misconfigured 'server role' Probably need to change one of the parameters but don't know what to look for.
Nope. It was a permissions problem. @lewis: pre-updates had no idea how to setup shares but the conf file had security=user set. After the update it still works with security=user So, cannot answer your question unless I try it on a third machine before samba is updated.
Tried that and now all my samba shares have vanished. Sigh!
When I set up samba on mga6-64, draksambashare offered security=user as the default. It does continue to offer the deprecated security=share as an option. (I confirmed this by setting up samba on mga6-32 in a vbox VM using the updated packages.) This issue is discussed in bug#21117. I only use samba for simple file sharing and have only one share defined. After updating these packages I continue to have read/write access to the share from other systems, including win7 (in a vbox VM).
CC: (none) => jim
@ Len : really sorry for your head-banging in vain. Not intended. @ James : thanks for your test; and important note on the 'security' issue. @ Brian : "on mga6-64, draksambashare offered security=user as the default." Which is as it should be. If you find that any other Mageia Samba utility does otherwise, can you (if you did not already) raise a bug for *that*?
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
bug#21117 was already submitted. I also tried to administer through a caja extension which failed. I can look to see if it messes up that setting. Brian
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/core/samba-4.6.7-1.mga6) 'validated_update' keyword reset.
Keywords: validated_update => (none)
(In reply to Nicolas Lécureuil from comment #22) > Update ID assignment failed > > Checking for QA validation keyword⦠â > Checking dependent bugs⦠â (None found) > Checking SRPMs⦠â (5/core/samba-4.6.7-1.mga6) > > > 'validated_update' keyword reset. Fixed. Please don't remove validated_update when this happens; remove advisory from the whiteboard instead. Thanks.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0326.html
Status: NEW => RESOLVEDResolution: (none) => FIXED