Upstream has issued advisories on November 9: https://www.samba.org/samba/security/CVE-2016-2124.html https://www.samba.org/samba/security/CVE-2020-25717.html https://www.samba.org/samba/security/CVE-2020-25718.html https://www.samba.org/samba/security/CVE-2020-25719.html https://www.samba.org/samba/security/CVE-2020-25721.html https://www.samba.org/samba/security/CVE-2020-25722.html https://www.samba.org/samba/security/CVE-2021-3738.html https://www.samba.org/samba/security/CVE-2021-23192.html The issues are fixed upstream in 4.15.2, 4.14.10, 4.13.14.
Debian has issued an advisory for this on November 9: https://www.debian.org/security/2021/dsa-5003
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29658
Ubuntu has issued an advisory for this on November 11: https://ubuntu.com/security/notices/USN-5142-1 CVE-2021-3671 may also affect Samba if it's built with internal heimdal.
SUSE has issued an advisory for this on November 10: https://lists.suse.com/pipermail/sle-security-updates/2021-November/009716.html Apparently CVE-2020-25718 and CVE-2021-3738 are actually in ldb.
Source RPM: samba-4.12.15-1.mga8.src.rpm => samba-4.12.15-1.mga8.src.rpm, ldb-2.1.5-1.mga8.src.rpm
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36K5HNX67LYX5XOVQRL3MSIC5YSJ5M5W/
SUSE advisory for fixing the upstream regression for the CVE-2020-25717 fix: https://lists.suse.com/pipermail/sle-security-updates/2021-November/009724.html
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DJMHDQABDOOUGOYNHF2X56XA57GXYYSN/
Fedora has issued an advisory for this on November 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QVXLHLIEQEAN7TGOH56LUEA6P4Y4GIZB/
Buchan, do you think we can update samba4 version ?
CC: (none) => mageia
Yes, that might be the easiest. If I don't manage to get patches for samba 4.12.x (and friends) today, I'll look at upgrading to 4.13.x or newer.
do you need help ? i can take some time to update samba and deps .
Fedora has issued advisories for this today (December 1): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TD6C444QAV5EBQMTPDWKK62S7AGAYO3X/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KWT77JQ7DSKY22Q3CQ4SAFAN7Q5KW2PF/
I've submitted the following packages to core/updates_testing for 8: * talloc-2.3.2-1.mga8 talloc-2.3.2-1.mga8 lib64talloc2-2.3.2-1.mga8 lib64talloc-devel-2.3.2-1.mga8 python3-talloc-2.3.2-1.mga8 lib64pytalloc-util2-2.3.2-1.mga8 lib64pytalloc-util-devel-2.3.2-1.mga8 talloc-debuginfo-2.3.2-1.mga8 talloc-debugsource-2.3.2-1.mga8 * ldb-2.3.2-1.mga8 ldb-2.3.2-1.mga8 lib64ldb2-2.3.2-1.mga8 ldb-utils-2.3.2-1.mga8 lib64ldb-devel-2.3.2-1.mga8 python3-ldb-2.3.2-1.mga8 lib64pyldb-util2-2.3.2-1.mga8 lib64pyldb-util-devel-2.3.2-1.mga8 ldb-debuginfo-2.3.2-1.mga8 ldb-debugsource-2.3.2-1.mga8 * samba-4.14.10-1.mga8 samba-4.14.10-1.mga8 samba-client-4.14.10-1.mga8 samba-common-4.14.10-1.mga8 samba-dc-4.14.10-1.mga8 lib64samba-dc0-4.14.10-1.mga8 lib64kdc-samba4_2-4.14.10-1.mga8 lib64heimntlm-samba4_1-4.14.10-1.mga8 lib64samba-devel-4.14.10-1.mga8 samba-krb5-printing-4.14.10-1.mga8 lib64samba1-4.14.10-1.mga8 lib64smbclient0-4.14.10-1.mga8 lib64smbclient-devel-4.14.10-1.mga8 lib64wbclient0-4.14.10-1.mga8 lib64wbclient-devel-4.14.10-1.mga8 python3-samba-4.14.10-1.mga8 samba-test-4.14.10-1.mga8 lib64samba-test0-4.14.10-1.mga8 lib64samba-test-devel-4.14.10-1.mga8 samba-winbind-4.14.10-1.mga8 samba-winbind-clients-4.14.10-1.mga8 samba-winbind-krb5-locator-4.14.10-1.mga8 samba-winbind-modules-4.14.10-1.mga8 ctdb-4.14.10-1.mga8 ctdb-devel-4.14.10-1.mga8 ctdb-tests-4.14.10-1.mga8 samba-debuginfo-4.14.10-1.mga8 samba-debugsource-4.14.10-1.mga8 sssd may also need a rebuild for ldb, which I haven't done. I haven't had time to do much testing besides that samba installs and runs and does the basics.
Assignee: bgmilne => bugsquadStatus: NEW => ASSIGNED
CC: (none) => bgmilne
Assignee: bugsquad => qa-bugs
sssd *always* needs rebuilt when ldb is updated. Please don't forget it in the future. I've submitted the rebuild. (also thanks for listing RPMs, but don't include debug ones). sssd-ipa-2.4.0-1.3.mga8 libsss_idmap-devel-2.4.0-1.3.mga8 sssd-tools-2.4.0-1.3.mga8 libsss_simpleifp-devel-2.4.0-1.3.mga8 sssd-kcm-2.4.0-1.3.mga8 sssd-ad-2.4.0-1.3.mga8 libsss_certmap-devel-2.4.0-1.3.mga8 libipa_hbac-devel-2.4.0-1.3.mga8 libsss_nss_idmap-devel-2.4.0-1.3.mga8 sssd-dbus-2.4.0-1.3.mga8 sssd-krb5-common-2.4.0-1.3.mga8 sssd-client-2.4.0-1.3.mga8 sssd-common-pac-2.4.0-1.3.mga8 python3-sssdconfig-2.4.0-1.3.mga8 sssd-ldap-2.4.0-1.3.mga8 sssd-proxy-2.4.0-1.3.mga8 libsss_certmap-2.4.0-1.3.mga8 sssd-krb5-2.4.0-1.3.mga8 libsss_nss_idmap-2.4.0-1.3.mga8 python3-sss-2.4.0-1.3.mga8 libsss_idmap-2.4.0-1.3.mga8 libsss_autofs-2.4.0-1.3.mga8 libipa_hbac-2.4.0-1.3.mga8 python3-libipa_hbac-2.4.0-1.3.mga8 sssd-nfs-idmap-2.4.0-1.3.mga8 libsss_sudo-2.4.0-1.3.mga8 sssd-2.4.0-1.3.mga8 libsss_simpleifp-2.4.0-1.3.mga8 python3-libsss_nss_idmap-2.4.0-1.3.mga8 sssd-winbind-idmap-2.4.0-1.3.mga8 python3-sss-murmur-2.4.0-1.3.mga8 sssd-common-2.4.0-1.3.mga8 from sssd-2.4.0-1.3.mga8.src.rpm
There were apparently some regressions fixed in later commits upstream: https://ubuntu.com/security/notices/USN-5142-2
Keywords: (none) => feedback
we need to check but they updated to 4.13.14 and us to 4.14.10
It looks like the upstream fixes were committed after the last releases were tagged.
(In reply to David Walser from comment #14) > There were apparently some regressions fixed in later commits upstream: > https://ubuntu.com/security/notices/USN-5142-2 I included fixes for the bugs listed in the updated Samba notice at https://www.samba.org/samba/latest_news.html or posted on the samba-announce@lists.samba.org list: See http://svnweb.mageia.org/packages/updates/8/samba/current/SPECS/samba.spec?revision=1760876&view=markup#l115 * https://bugzilla.samba.org/show_bug.cgi?id=14899 : https://gitlab.com/samba-team/samba/-/commit/5b1d789632fe67708e64ab9fc4f5b10408699682 * https://bugzilla.samba.org/show_bug.cgi?id=14901 : https://gitlab.com/samba-team/samba/-/commit/8ccb26c679ba0b909cbba654d00797f99580679f * https://bugzilla.samba.org/show_bug.cgi?id=14918: - hasn't been posted anywhere official - the fix for it ( https://gitlab.com/samba-team/samba/-/merge_requests/2275 , https://gitlab.com/samba-team/samba/-/commit/0f7e58b0e29778711d3385adbba957c175c3bdef ) was merged after my packages had uploaded - it hasn't been backported to any other branches - it doesn't apply cleanly + /usr/bin/cat /home/bgmilne/Downloads/source/mageia/8/samba/SOURCES/5b1d789632fe67708e64ab9fc4f5b10408699682.diff + /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch + /usr/bin/cat /home/bgmilne/Downloads/source/mageia/8/samba/SOURCES/8ccb26c679ba0b909cbba654d00797f99580679f.diff + /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch + /usr/bin/cat /home/bgmilne/Downloads/source/mageia/8/samba/SOURCES/0f7e58b0e29778711d3385adbba957c175c3bdef.diff + /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch 1 out of 1 hunk FAILED -- saving rejects to file python/samba/netcmd/domain_backup.py.rej error: Bad exit status from /var/tmp/rpm-tmp.uPYAlL (%prep) - the problematic code doesn't seem to exist in 4.14.10: [bgmilne@buchan-desktop samba]$ cat ~/rpmbuild/BUILD/samba-4.14.10/python/samba/netcmd/domain_backup.py.rej --- python/samba/netcmd/domain_backup.py +++ python/samba/netcmd/domain_backup.py @@ -1128,9 +1128,9 @@ class cmd_domain_backup_offline(samba.netcmd.Command): # duplicates if one backup dir is a subdirectory of another, # or if backup dirs contain hardlinks. try: - s = os.stat(full_path) + s = os.stat(full_path, follow_symlinks=False) except FileNotFoundError: - logger.info(f"{full_path} does not exist (dangling symlink?)") + logger.warning(f"{full_path} does not exist!") continue if (s.st_ino, s.st_dev) in all_stats: [bgmilne@buchan-desktop samba]$ grep -E '(FileNotFoundError|does not exist)' ~/rpmbuild/BUILD/samba-4.14.10/python/samba/netcmd/domain_backup.py [bgmilne@buchan-desktop samba]$ So, I think we can proceed to testing.
Nope. I don't know why upstream didn't just do more tarballs again. Anyway, you can see here: https://git.samba.org/samba.git/?p=samba.git;a=shortlog;h=refs/heads/v4-14-test There are actually 6 commits tagged with CVE-2020-25717 (which correspond to the commits listed in https://bugzilla.samba.org/show_bug.cgi?id=14901 as well as bug14901-*.patch in the Ubuntu update) and you only got the last of those 6. There are also 7 commits tagged with CVE-2021-3670 (see https://bugzilla.samba.org/show_bug.cgi?id=14694 ) which we should also add. The commits for https://bugzilla.samba.org/show_bug.cgi?id=14918 are only in master but Ubuntu's backports for 4.13.x (bug14918-[12].patch) apply cleanly to our package.
> There are actually 6 commits tagged with CVE-2020-25717 (which correspond to the commits listed in https://bugzilla.samba.org/show_bug.cgi?id=14901 as well as bug14901-*.patch in the Ubuntu update) and you only got the last of those 6. 1bd06f8cb357df0c3f3f25899cda38b6f842c659 The actual fix, which I included 8bed2c3f7a970dc8933a5215e2d9ba041c9a8759 Tests f00c993f0c74de38d58766b1050bb13f78b42c9a May be worth pulling in, but not absolutely required 9bef6bc6cf027c3b61498b4944388940e23e7a1c Tests ff3798418e8a77492d50dfd32deed4f11f7ba7ce Tests 8ccb26c679ba0b909cbba654d00797f99580679f Tests > There are also 7 commits tagged with CVE-2021-3670 (see https://bugzilla.samba.org/show_bug.cgi?id=14694 ) which we should also add. This CVE wasn't previously listed in this bug, but I'll take a look.
> There are actually 6 commits tagged with CVE-2020-25717 (which correspond to the commits listed in https://bugzilla.samba.org/show_bug.cgi?id=14901 as well as bug14901-*.patch in the Ubuntu update) and you only got the last of those 6. I've included all 6 patches in -1.1 > There are also 7 commits tagged with CVE-2021-3670 (see https://bugzilla.samba.org/show_bug.cgi?id=14694 ) which we should also add. These are included in -1.1 > The commits for https://bugzilla.samba.org/show_bug.cgi?id=14918 are only in master but Ubuntu's backports for 4.13.x (bug14918-[12].patch) apply cleanly to our package. 1 of the 3 hunks conflicted and required some massaging to be included, but it's in -1.1 Packages (currently building on pkgsubmit, but builds fine locally): samba-4.14.10-1.1.mga8 samba-client-4.14.10-1.1.mga8 samba-common-4.14.10-1.1.mga8 samba-dc-4.14.10-1.1.mga8 lib64samba-dc0-4.14.10-1.1.mga8 lib64kdc-samba4_2-4.14.10-1.1.mga8 lib64heimntlm-samba4_1-4.14.10-1.1.mga8 lib64samba-devel-4.14.10-1.1.mga8 samba-krb5-printing-4.14.10-1.1.mga8 lib64samba1-4.14.10-1.1.mga8 lib64smbclient0-4.14.10-1.1.mga8 lib64smbclient-devel-4.14.10-1.1.mga8 lib64wbclient0-4.14.10-1.1.mga8 lib64wbclient-devel-4.14.10-1.1.mga8 python3-samba-4.14.10-1.1.mga8 samba-test-4.14.10-1.1.mga8 lib64samba-test0-4.14.10-1.1.mga8 lib64samba-test-devel-4.14.10-1.1.mga8 samba-winbind-4.14.10-1.1.mga8 samba-winbind-clients-4.14.10-1.1.mga8 samba-winbind-krb5-locator-4.14.10-1.1.mga8 samba-winbind-modules-4.14.10-1.1.mga8 ctdb-4.14.10-1.1.mga8 ctdb-devel-4.14.10-1.1.mga8
Keywords: feedback => (none)
MGA XFCE 64 Update samba with RPMs: lib64kdc-samba4_2 4.14.10 1.1.mga8 x86_64 lib64samba-dc0 4.14.10 1.1.mga8 x86_64 lib64samba1 4.14.10 1.1.mga8 x86_64 lib64smbclient0 4.14.10 1.1.mga8 x86_64 lib64wbclient0 4.14.10 1.1.mga8 x86_64 python3-samba 4.14.10 1.1.mga8 x86_64 samba 4.14.10 1.1.mga8 x86_64 samba-client 4.14.10 1.1.mga8 x86_64 samba-common 4.14.10 1.1.mga8 x86_64 samba-winbind 4.14.10 1.1.mga8 x86_64 samba-winbind-modules 4.14.10 1.1.mga8 x86_64 Mounting freebox server (frnch internet box) hard disk ok, copy and paste document ok, create document ok I can't connect anonymously with Thunar while I could before the old version.
CC: (none) => guillaume.royer
MGA8-32, Xfce 32bit, server The following 17 packages are going to be installed: - libkdc-samba4_2-4.14.10-1.1.mga8.i586 - libsamba-dc0-4.14.10-1.1.mga8.i586 - libsamba1-4.14.10-1.1.mga8.i586 - libsmbclient0-4.14.10-1.1.mga8.i586 - liburing1-0.7-2.mga8.i586 - libwbclient0-4.14.10-1.1.mga8.i586 - python3-ldb-2.3.2-1.mga8.i586 - python3-samba-4.14.10-1.1.mga8.i586 - python3-talloc-2.3.2-1.mga8.i586 - python3-tdb-1.4.3-1.mga8.i586 - python3-tevent-0.10.2-1.mga8.i586 - samba-4.14.10-1.1.mga8.i586 - samba-client-4.14.10-1.1.mga8.i586 - samba-common-4.14.10-1.1.mga8.i586 - samba-winbind-4.14.10-1.1.mga8.i586 - samba-winbind-clients-4.14.10-1.1.mga8.i586 - samba-winbind-modules-4.14.10-1.1.mga8.i586 - libpytalloc-util2-2.3.2-1.mga8.i586 - libtalloc2-2.3.2-1.mga8.i586 - ldb-utils-2.3.2-1.mga8.i586 - libldb2-2.3.2-1.mga8.i586 - libpyldb-util2-2.3.2-1.mga8.i586 ---then went in and did all of the configuration stuff, setting up shares, users, and allowed IP's. ---reboot I've exercised this pretty heavily with multiple clients and many GB of data movement. No issues.
CC: (none) => brtians1
Whiteboard: (none) => MGA8-32-OK
Wait a sec, what is this all about??? I see that Brian is testing the samba rpm's with the existing ldb stuff, not the new ones mentioned above. So what is needed to OK this update, only samba tested or the whole list from Comments 12and 13??? For the moment, I'll follow Brian, just samba.
CC: (none) => herman.viaene
Selecting list from Comment 20 in QARepo gives: lib64samba-test-devel-4.14.10-1.1.mga8 not found in the remote repository ctdb-devel-4.14.10-1.1.mga8 not found in the remote repository
The packages in Comment 12 and 13 are all part of this update. Don't cherry-pick.
Also Brian did include the updated ldb packages in his test.
I am not questioning Brian's knowledge or goodwill, but he "cherry-pick"-ed from talloc and ldb, at least what he shows in Comment 22, and none of the sssd stuff from Comment 13. But OK, comment taken, I'll proceed on incorporating all in my test (not the debuginfo).
No, Brian included the ldb and talloc updates in his test. As for sssd, it can be tested independently of samba, but both require the ldb update as well.
(In reply to David Walser from comment #14) > There were apparently some regressions fixed in later commits upstream: > https://ubuntu.com/security/notices/USN-5142-2 and yet another: https://ubuntu.com/security/notices/USN-5142-3 https://bugzilla.samba.org/show_bug.cgi?id=14922 https://git.samba.org/samba.git/?p=samba.git;a=commit;h=b0d67dc3d42b81e5e35da26a333c4fcd67baab1f
> and yet another: > https://ubuntu.com/security/notices/USN-5142-3 > https://bugzilla.samba.org/show_bug.cgi?id=14922 Sanity has prevailed, and new releases are being made available. The announcement email for 4.14.11 doesn't seem to be out, but it's tagged, release tarballs are out, and the changelog is up: https://www.samba.org/samba/history/samba-4.14.11.html I think it's best to ship this. All of the patches we have are included in the release, except the one for https://bugzilla.samba.org/show_bug.cgi?id=14918, so I'm keeping that. Currently building: samba-4.14.11-1.mga8 samba-client-4.14.11-1.mga8 samba-common-4.14.11-1.mga8 samba-dc-4.14.11-1.mga8 lib64samba-dc0-4.14.11-1.mga8 lib64kdc-samba4_2-4.14.11-1.mga8 lib64heimntlm-samba4_1-4.14.11-1.mga8 lib64samba-devel-4.14.11-1.mga8 samba-krb5-printing-4.14.11-1.mga8 lib64samba1-4.14.11-1.mga8 lib64smbclient0-4.14.11-1.mga8 lib64smbclient-devel-4.14.11-1.mga8 lib64wbclient0-4.14.11-1.mga8 lib64wbclient-devel-4.14.11-1.mga8 python3-samba-4.14.11-1.mga8 samba-test-4.14.11-1.mga8 lib64samba-test0-4.14.11-1.mga8 lib64samba-test-devel-4.14.11-1.mga8 samba-winbind-4.14.11-1.mga8 samba-winbind-clients-4.14.11-1.mga8 samba-winbind-krb5-locator-4.14.11-1.mga8 samba-winbind-modules-4.14.11-1.mga8 ctdb-4.14.11-1.mga8 ctdb-devel-4.14.11-1.mga8
Fantastic!
Keywords: feedback => (none)Whiteboard: MGA8-32-OK => (none)
Followed david's recommendation and put all rpm's in QARepo(still omitting the debug ones Got: lib64samba-test-devel-4.14.11-1.mga8 not found in the remote repository ctdb-devel-4.14.11-1.mga8 not found in the remote repository talloc-2.3.2-1.mga8 not found in the remote repository ldb-2.3.2-1.mga8 not found in the remote repository
(In reply to Herman Viaene from comment #32) > Followed david's recommendation and put all rpm's in QARepo(still omitting > the debug ones > Got: > lib64samba-test-devel-4.14.11-1.mga8 not found in the remote repository > ctdb-devel-4.14.11-1.mga8 not found in the remote repository > talloc-2.3.2-1.mga8 not found in the remote repository > ldb-2.3.2-1.mga8 not found in the remote repository Indeed, I don't know where Buchan got his package lists from. 64-bit package list (excluding sssd which is in Comment 13) should be: samba-test-4.14.11-1.mga8 samba-dc-4.14.11-1.mga8 samba-4.14.11-1.mga8 lib64samba1-4.14.11-1.mga8 ctdb-4.14.11-1.mga8 samba-client-4.14.11-1.mga8 samba-common-4.14.11-1.mga8 samba-winbind-4.14.11-1.mga8 lib64samba-dc0-4.14.11-1.mga8 lib64smbclient0-4.14.11-1.mga8 python3-samba-4.14.11-1.mga8 samba-winbind-clients-4.14.11-1.mga8 lib64kdc-samba4_2-4.14.11-1.mga8 lib64smbclient-devel-4.14.11-1.mga8 samba-winbind-modules-4.14.11-1.mga8 lib64wbclient0-4.14.11-1.mga8 lib64heimntlm-samba4_1-4.14.11-1.mga8 lib64samba-test0-4.14.11-1.mga8 lib64samba-devel-4.14.11-1.mga8 lib64wbclient-devel-4.14.11-1.mga8 samba-krb5-printing-4.14.11-1.mga8 samba-winbind-krb5-locator-4.14.11-1.mga8 ldb-utils-2.3.2-1.mga8 lib64ldb-devel-2.3.2-1.mga8 lib64ldb2-2.3.2-1.mga8 lib64pyldb-util-devel-2.3.2-1.mga8 lib64pyldb-util2-2.3.2-1.mga8 python3-ldb-2.3.2-1.mga8 lib64pytalloc-util-devel-2.3.2-1.mga8 lib64pytalloc-util2-2.3.2-1.mga8 lib64talloc-devel-2.3.2-1.mga8 lib64talloc2-2.3.2-1.mga8 python3-talloc-2.3.2-1.mga8
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues Ref bug 27299 Comment 5 for testing Made sure smb server is running # systemctl start smb # systemctl -l status smb ● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2021-12-17 11:28:01 CET; 3s ago Docs: man:smbd(8) man:samba(7) man:smb.conf(5) Main PID: 12405 (smbd) Status: "smbd: ready to serve connections..." Tasks: 4 (limit: 9396) Memory: 7.2M CPU: 65ms CGroup: /system.slice/smb.service ├─12405 /usr/sbin/smbd --foreground --no-process-group ├─12411 /usr/sbin/smbd --foreground --no-process-group ├─12412 /usr/sbin/smbd --foreground --no-process-group └─12415 /usr/sbin/smbd --foreground --no-process-group dec 17 11:28:01 mach5.hviaene.thuis systemd[1]: Starting Samba SMB Daemon... dec 17 11:28:01 mach5.hviaene.thuis smbd[12405]: [2021/12/17 11:28:01.841716, 0] ../../lib/util/become_daemon.c:135(daemon_ready) dec 17 11:28:01 mach5.hviaene.thuis smbd[12405]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections dec 17 11:28:01 mach5.hviaene.thuis systemd[1]: Started Samba SMB Daemon. Configure in MCC basic smb shares and user. Then as normal user, test connection to Samba server on my desktop PC: $ smbclient //mach1/herman -U herman Enter SAMBATEST\herman's password: Try "help" to get a list of possible commands. smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. ! smb: \> pwd Current directory is \\mach1\herman\ smb: \> ls . D 0 Fri Dec 17 08:42:54 2021 .. D 0 Fri Jul 31 15:14:59 2020 Viaene-2021-04-18-09-52-04.gramps N 513054 Sun Apr 18 09:52:04 2021 Viaene-2020-08-07-17-48-13.gramps N 509508 Fri Aug 7 17:48:17 2020 rpmbuild D 0 Sun Aug 16 11:16:34 2020 idkaartherman.jpg N 235947 Thu Sep 23 17:27:46 2010 Watteeuw-2020-08-29-14-22-33.gramps N 678052 Sat Aug 29 14:22:37 2020 kerst2015nedklein.ppsx N 1514274 Fri Dec 25 20:05:05 2015 .audacity-data DH 0 Tue Dec 14 08:53:04 2021 .qareporc H 123 Fri Feb 5 15:51:00 2021 and a lot more..... Repeated same smbclient test from my desktop PC to this new server, with similar results. So samba is OK for me, but do we need to test the sssd functions in this same bug to be able to OK it ?????
Yes, just a basic sssd test; it's just a rebuild against ldb so it should be fine.
MGA8-32bit on coal burning server - Installed old version and configured it - upgraded to 4.14.11 (using gui, it asked me to pick in my smb.conf file to use). I chose to use the old. restarted services working I'll look at sssd.
MGA8-32bit The following 24 packages are going to be installed: - libdhash1-0.5.0-12.mga8.i586 - libipa_hbac-2.4.0-1.3.mga8.i586 - libnl-route3_200-3.5.0-2.mga8.i586 - libsasl2-plug-gssapi-2.1.27-3.mga8.i586 - libsmbclient0-4.14.11-1.mga8.i586 - libsss_autofs-2.4.0-1.3.mga8.i586 - libsss_certmap-2.4.0-1.3.mga8.i586 - libsss_idmap-2.4.0-1.3.mga8.i586 - libsss_nss_idmap-2.4.0-1.3.mga8.i586 - libsss_sudo-2.4.0-1.3.mga8.i586 - python3-sssdconfig-2.4.0-1.3.mga8.noarch - sssd-2.4.0-1.3.mga8.i586 - sssd-ad-2.4.0-1.3.mga8.i586 - sssd-client-2.4.0-1.3.mga8.i586 - sssd-common-2.4.0-1.3.mga8.i586 - sssd-common-pac-2.4.0-1.3.mga8.i586 - sssd-dbus-2.4.0-1.3.mga8.i586 - sssd-ipa-2.4.0-1.3.mga8.i586 - sssd-krb5-2.4.0-1.3.mga8.i586 - sssd-krb5-common-2.4.0-1.3.mga8.i586 - sssd-ldap-2.4.0-1.3.mga8.i586 - sssd-nfs-idmap-2.4.0-1.3.mga8.i586 - sssd-proxy-2.4.0-1.3.mga8.i586 - sssd-winbind-idmap-2.4.0-1.3.mga8.i586 9.8MB of additional disk space will be used. [root@localhost sssd]# cd conf.d [root@localhost conf.d]# ls [root@localhost conf.d]# vi sssd.conf [root@localhost conf.d]# systemctl start sssd [root@localhost conf.d]# ps -ef | grep sssd root 5632 1 0 09:20 ? 00:00:00 /usr/sbin/sssd -i --logger=files root 5633 5632 3 09:20 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files root 5636 5632 1 09:20 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 5639 3213 0 09:20 pts/0 00:00:00 grep --color sssd [root@localhost conf.d]# systemctl restart smb I tried a couple of machines, I'm able to access samba and sssd is running on server. I don't know much about it, so best I can do.
Rummaged around in the info of the sssd rpm's and found that indeed sssd provides for cifs utils, so testing samba working is a reassurance. Found also sssd-tools and tested the sssctl in some aspects. # systemctl -l status sssd ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2021-12-20 11:35:07 CET; 20min ago Main PID: 864 (sssd) Tasks: 3 (limit: 9396) Memory: 40.8M CPU: 307ms CGroup: /system.slice/sssd.service ├─ 864 /usr/sbin/sssd -i --logger=files ├─1012 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files └─1045 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files dec 20 11:35:00 mach5.hviaene.thuis systemd[1]: Starting System Security Services Daemon... dec 20 11:35:05 mach5.hviaene.thuis sssd[864]: Starting up dec 20 11:35:05 mach5.hviaene.thuis be[implicit_files][1012]: Starting up dec 20 11:35:06 mach5.hviaene.thuis nss[1045]: Starting up dec 20 11:35:07 mach5.hviaene.thuis systemd[1]: Started System Security Services Daemon. # sssctl Usage: sssctl COMMAND COMMAND-ARGS Available commands: SSSD Status: * domain-list List available domains * domain-status Print information about domain * user-checks Print information about a user and check authentication * access-report Generate access report for a domain Information about cached content: * user-show Information about cached user * group-show Information about cached group * netgroup-show Information about cached netgroup etc.... # sssctl domain-list implicit_files # sssctl user-checks tester8 user: tester8 action: acct service: system-auth SSSD nss user lookup result: - user name: tester8 - user id: 1000 - group id: 1000 - gecos: Tester8 - home directory: /home/tester8 - shell: /bin/bash SSSD InfoPipe user lookup result: - name: tester8 - uidNumber: 1000 - gidNumber: 1000 - gecos: Tester8 - homeDirectory: /home/tester8 - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - [root@mach5 ~]# sssctl config-check File /etc/sssd/sssd.conf does not exist. There is no configuration. SSSD will use default configuration with files provider. Issues identified by validators: 0 Messages generated during configuration merging: 0 Used configuration snippet files: 0 @David: s that good enough as a test???
Probably. Thanks.
Whiteboard: (none) => MGA8-64-OK
Comment 36 indicates it seems to be working on 32-bit too, though Brian did not restore the OK. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Since I updated samba from QA repo, I can't connect to my NAS freebox server anonymously with Thunar. Thunar asks me to identify myself while before I had choice to tick case "Anonymous". Other thing, when I mount (with cif-utils) NAS freebox server hard drive, I can't writ on it. I can also read or copy files to my drive. There are also 2 people of the French community who have a problem to mount the hard drive of their NAS. Should I comment on the original report or open a new one? https://www.mageialinux-online.org/forum/topic-29519+cifs-et-kernel-5-15-10-desktop-1-ko.php https://ml.mageia.org/l/arc/discuss-fr/2021-12/msg00042.html
Removing validated_update until comment 41 is resolved
CC: (none) => davidwhodginsKeywords: validated_update => (none)
Removing the OK, too.
Whiteboard: MGA8-64-OK => (none)
Restoring the ok and validation as this is not a samba issue. The problem with the NAS referred to by Brian Rockwell on the doc-discuss mailing list with a link to https://www.reddit.com/r/voidlinux/comments/r7g5gb/mountcifs_with_vers10_secntlm_and_kernel_515/ which links to https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c The kernel has dropped support for des (insecure) encryption which used by the smb ntlm security type. Users affected by this have the choices: - Updating the equipment with newer hardware that supports reasonably secure encryption. - Staying with kernel 5.10.78-1, which doesn't have latest kernel security updates, so should be considered insecure. - Possibly using a fuse kernel module to add back the des support (I haven't looked into if this works). Obviously the first option should be preferred, but if the second or third option is chosen, probably safest to confine it to a virtual system.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
(In reply to Dave Hodgins from comment #44) > > The kernel has dropped support for des (insecure) encryption which used by > the smb ntlm security type. > This is actually only cifs that has dropped the old ntlm support. > Users affected by this have the choices: > - Updating the equipment with newer hardware that supports reasonably secure > encryption. > - Staying with kernel 5.10.78-1, which doesn't have latest kernel security > updates, so should be considered insecure. > - Possibly using a fuse kernel module to add back the des support (I haven't > looked into if this works). > or wait for / test next kernel update 5.15.11-3.mga8 tracked in: https://bugs.mageia.org/show_bug.cgi?id=29813 I dont like dropping base feature support (even if they are legacy) in a stable distro release if I can avoid it without too much extra painful work for me. so I've restored legacy NTLM support in cifs... Note that this is only done for mga8. so there is still need for end-users to think about what to do for mga9 whenever that is...
Guillaume, please see bug 29813 for the kernel update that's currently being tested, which should fix the cifs issue.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0585.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
It's seem that all issues are not solved samba update. I always can't connect to my NAS freebox server anonymously with Thunar. Thunar asks me to identify myself while before I had choice to tick case "Anonymous". I'm not alone in this case, a topic was open on French community forum MLO: https://www.mageialinux-online.org/forum/topic-29542+plus-d-acces-a-freebox.php This issue is upstream, you can see it this bug report: https://bugzilla.samba.org/show_bug.cgi?id=14935
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
Don't reopen bugs for pushed updates (unless not everything was pushed).
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED
This update did not fix all problems of mounting cifs file-systems, see https://bugs.mageia.org/show_bug.cgi?id=29240
CC: (none) => juergen.harms
It looks like this update also fixed CVE-2020-17049 in the bundled Kerberos code, but it's a bit confusing to figure out exactly what code: https://lists.suse.com/pipermail/sle-security-updates/2022-February/010209.html https://bugzilla.redhat.com/show_bug.cgi?id=2025721 https://bugzilla.samba.org/show_bug.cgi?id=14642
(In reply to Buchan Milne from comment #12) > I've submitted the following packages to core/updates_testing for 8: > > * talloc-2.3.2-1.mga8 I don't get it: was talloc 2.3.2 supposed to be pushed too? Because it's still in core update testing. Maybe it should be nuked if not needed?
Yes it was.
I missed it in the list when I committed the advisory to svn. I've added it the svn advisory now, but as the update has been pushed, will need a sysadmin to manually move talloc-2.3.2-1.mga8 from core updates testing to core updates.
moved