Bug 29641 - samba new security issues CVE-2016-2124, CVE-2020-2571[7-9], CVE-2020-2572[12], CVE-2021-3738, CVE-2021-23192
Summary: samba new security issues CVE-2016-2124, CVE-2020-2571[7-9], CVE-2020-2572[12...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-11-10 15:25 CET by David Walser
Modified: 2022-07-21 10:43 CEST (History)
9 users (show)

See Also:
Source RPM: samba-4.12.15-1.mga8.src.rpm, ldb-2.1.5-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Comment 1 David Walser 2021-11-10 15:27:02 CET
Debian has issued an advisory for this on November 9:
https://www.debian.org/security/2021/dsa-5003
David Walser 2021-11-12 21:50:50 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29658

Comment 2 David Walser 2021-11-12 21:51:29 CET
Ubuntu has issued an advisory for this on November 11:
https://ubuntu.com/security/notices/USN-5142-1

CVE-2021-3671 may also affect Samba if it's built with internal heimdal.
Comment 3 David Walser 2021-11-12 21:54:22 CET
SUSE has issued an advisory for this on November 10:
https://lists.suse.com/pipermail/sle-security-updates/2021-November/009716.html

Apparently CVE-2020-25718 and CVE-2021-3738 are actually in ldb.

Source RPM: samba-4.12.15-1.mga8.src.rpm => samba-4.12.15-1.mga8.src.rpm, ldb-2.1.5-1.mga8.src.rpm

Comment 5 David Walser 2021-11-16 17:19:00 CET
SUSE advisory for fixing the upstream regression for the CVE-2020-25717 fix:
https://lists.suse.com/pipermail/sle-security-updates/2021-November/009724.html
Comment 7 David Walser 2021-11-19 19:46:59 CET
Fedora has issued an advisory for this on November 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QVXLHLIEQEAN7TGOH56LUEA6P4Y4GIZB/
Comment 8 Nicolas Lécureuil 2021-11-22 21:57:17 CET
Buchan,

do you think we can update samba4 version ?

CC: (none) => mageia

Comment 9 Buchan Milne 2021-11-23 08:34:41 CET
Yes, that might be the easiest.

If I don't manage to get patches for samba 4.12.x (and friends) today, I'll look at upgrading to 4.13.x or newer.
Comment 10 Nicolas Lécureuil 2021-12-01 00:38:18 CET
do you need help ?   i can take some time to update samba and deps .
Comment 12 Buchan Milne 2021-12-06 07:45:53 CET
I've submitted the following packages to core/updates_testing for 8:

* talloc-2.3.2-1.mga8
talloc-2.3.2-1.mga8
lib64talloc2-2.3.2-1.mga8
lib64talloc-devel-2.3.2-1.mga8
python3-talloc-2.3.2-1.mga8
lib64pytalloc-util2-2.3.2-1.mga8
lib64pytalloc-util-devel-2.3.2-1.mga8
talloc-debuginfo-2.3.2-1.mga8
talloc-debugsource-2.3.2-1.mga8

* ldb-2.3.2-1.mga8
ldb-2.3.2-1.mga8
lib64ldb2-2.3.2-1.mga8
ldb-utils-2.3.2-1.mga8
lib64ldb-devel-2.3.2-1.mga8
python3-ldb-2.3.2-1.mga8
lib64pyldb-util2-2.3.2-1.mga8
lib64pyldb-util-devel-2.3.2-1.mga8
ldb-debuginfo-2.3.2-1.mga8
ldb-debugsource-2.3.2-1.mga8

* samba-4.14.10-1.mga8
samba-4.14.10-1.mga8
samba-client-4.14.10-1.mga8
samba-common-4.14.10-1.mga8
samba-dc-4.14.10-1.mga8
lib64samba-dc0-4.14.10-1.mga8
lib64kdc-samba4_2-4.14.10-1.mga8
lib64heimntlm-samba4_1-4.14.10-1.mga8
lib64samba-devel-4.14.10-1.mga8
samba-krb5-printing-4.14.10-1.mga8
lib64samba1-4.14.10-1.mga8
lib64smbclient0-4.14.10-1.mga8
lib64smbclient-devel-4.14.10-1.mga8
lib64wbclient0-4.14.10-1.mga8
lib64wbclient-devel-4.14.10-1.mga8
python3-samba-4.14.10-1.mga8
samba-test-4.14.10-1.mga8
lib64samba-test0-4.14.10-1.mga8
lib64samba-test-devel-4.14.10-1.mga8
samba-winbind-4.14.10-1.mga8
samba-winbind-clients-4.14.10-1.mga8
samba-winbind-krb5-locator-4.14.10-1.mga8
samba-winbind-modules-4.14.10-1.mga8
ctdb-4.14.10-1.mga8
ctdb-devel-4.14.10-1.mga8
ctdb-tests-4.14.10-1.mga8
samba-debuginfo-4.14.10-1.mga8
samba-debugsource-4.14.10-1.mga8


sssd may also need a rebuild for ldb, which I haven't done.

I haven't had time to do much testing besides that samba installs and runs and does the basics.

Assignee: bgmilne => bugsquad
Status: NEW => ASSIGNED

Buchan Milne 2021-12-06 07:46:23 CET

CC: (none) => bgmilne

Nicolas Lécureuil 2021-12-06 08:15:25 CET

Assignee: bugsquad => qa-bugs

Comment 13 David Walser 2021-12-06 16:16:22 CET
sssd *always* needs rebuilt when ldb is updated.  Please don't forget it in the future.  I've submitted the rebuild.  (also thanks for listing RPMs, but don't include debug ones).

sssd-ipa-2.4.0-1.3.mga8
libsss_idmap-devel-2.4.0-1.3.mga8
sssd-tools-2.4.0-1.3.mga8
libsss_simpleifp-devel-2.4.0-1.3.mga8
sssd-kcm-2.4.0-1.3.mga8
sssd-ad-2.4.0-1.3.mga8
libsss_certmap-devel-2.4.0-1.3.mga8
libipa_hbac-devel-2.4.0-1.3.mga8
libsss_nss_idmap-devel-2.4.0-1.3.mga8
sssd-dbus-2.4.0-1.3.mga8
sssd-krb5-common-2.4.0-1.3.mga8
sssd-client-2.4.0-1.3.mga8
sssd-common-pac-2.4.0-1.3.mga8
python3-sssdconfig-2.4.0-1.3.mga8
sssd-ldap-2.4.0-1.3.mga8
sssd-proxy-2.4.0-1.3.mga8
libsss_certmap-2.4.0-1.3.mga8
sssd-krb5-2.4.0-1.3.mga8
libsss_nss_idmap-2.4.0-1.3.mga8
python3-sss-2.4.0-1.3.mga8
libsss_idmap-2.4.0-1.3.mga8
libsss_autofs-2.4.0-1.3.mga8
libipa_hbac-2.4.0-1.3.mga8
python3-libipa_hbac-2.4.0-1.3.mga8
sssd-nfs-idmap-2.4.0-1.3.mga8
libsss_sudo-2.4.0-1.3.mga8
sssd-2.4.0-1.3.mga8
libsss_simpleifp-2.4.0-1.3.mga8
python3-libsss_nss_idmap-2.4.0-1.3.mga8
sssd-winbind-idmap-2.4.0-1.3.mga8
python3-sss-murmur-2.4.0-1.3.mga8
sssd-common-2.4.0-1.3.mga8

from sssd-2.4.0-1.3.mga8.src.rpm
Comment 14 David Walser 2021-12-06 19:12:15 CET
There were apparently some regressions fixed in later commits upstream:
https://ubuntu.com/security/notices/USN-5142-2

Keywords: (none) => feedback

Comment 15 Nicolas Lécureuil 2021-12-06 23:36:15 CET
we need to check but they updated to 4.13.14 and us to 4.14.10
Comment 16 David Walser 2021-12-06 23:40:16 CET
It looks like the upstream fixes were committed after the last releases were tagged.
Comment 17 Buchan Milne 2021-12-07 07:46:10 CET
(In reply to David Walser from comment #14)
> There were apparently some regressions fixed in later commits upstream:
> https://ubuntu.com/security/notices/USN-5142-2

I included fixes for the bugs listed in the updated Samba notice at https://www.samba.org/samba/latest_news.html or posted on the samba-announce@lists.samba.org list:

See http://svnweb.mageia.org/packages/updates/8/samba/current/SPECS/samba.spec?revision=1760876&view=markup#l115

* https://bugzilla.samba.org/show_bug.cgi?id=14899 :
https://gitlab.com/samba-team/samba/-/commit/5b1d789632fe67708e64ab9fc4f5b10408699682

* https://bugzilla.samba.org/show_bug.cgi?id=14901 :
https://gitlab.com/samba-team/samba/-/commit/8ccb26c679ba0b909cbba654d00797f99580679f

* https://bugzilla.samba.org/show_bug.cgi?id=14918:
- hasn't been posted anywhere official
- the fix for it ( https://gitlab.com/samba-team/samba/-/merge_requests/2275 , https://gitlab.com/samba-team/samba/-/commit/0f7e58b0e29778711d3385adbba957c175c3bdef ) was merged after my packages had uploaded
- it hasn't been backported to any other branches
- it doesn't apply cleanly

+ /usr/bin/cat /home/bgmilne/Downloads/source/mageia/8/samba/SOURCES/5b1d789632fe67708e64ab9fc4f5b10408699682.diff
+ /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch
+ /usr/bin/cat /home/bgmilne/Downloads/source/mageia/8/samba/SOURCES/8ccb26c679ba0b909cbba654d00797f99580679f.diff
+ /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch
+ /usr/bin/cat /home/bgmilne/Downloads/source/mageia/8/samba/SOURCES/0f7e58b0e29778711d3385adbba957c175c3bdef.diff
+ /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch
1 out of 1 hunk FAILED -- saving rejects to file python/samba/netcmd/domain_backup.py.rej
error: Bad exit status from /var/tmp/rpm-tmp.uPYAlL (%prep)

- the problematic code doesn't seem to exist in 4.14.10:

[bgmilne@buchan-desktop samba]$ cat ~/rpmbuild/BUILD/samba-4.14.10/python/samba/netcmd/domain_backup.py.rej --- python/samba/netcmd/domain_backup.py
+++ python/samba/netcmd/domain_backup.py
@@ -1128,9 +1128,9 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
                     # duplicates if one backup dir is a subdirectory of another,
                     # or if backup dirs contain hardlinks.
                     try:
-                        s = os.stat(full_path)
+                        s = os.stat(full_path, follow_symlinks=False)
                     except FileNotFoundError:
-                        logger.info(f"{full_path} does not exist (dangling symlink?)")
+                        logger.warning(f"{full_path} does not exist!")
                         continue
 
                     if (s.st_ino, s.st_dev) in all_stats:
[bgmilne@buchan-desktop samba]$ grep -E '(FileNotFoundError|does not exist)' ~/rpmbuild/BUILD/samba-4.14.10/python/samba/netcmd/domain_backup.py
[bgmilne@buchan-desktop samba]$


So, I think we can proceed to testing.
Comment 18 David Walser 2021-12-07 22:43:34 CET
Nope.  I don't know why upstream didn't just do more tarballs again.  Anyway, you can see here:
https://git.samba.org/samba.git/?p=samba.git;a=shortlog;h=refs/heads/v4-14-test

There are actually 6 commits tagged with CVE-2020-25717 (which correspond to the commits listed in https://bugzilla.samba.org/show_bug.cgi?id=14901 as well as bug14901-*.patch in the Ubuntu update) and you only got the last of those 6.  There are also 7 commits tagged with CVE-2021-3670 (see https://bugzilla.samba.org/show_bug.cgi?id=14694 ) which we should also add.

The commits for https://bugzilla.samba.org/show_bug.cgi?id=14918 are only in master but Ubuntu's backports for 4.13.x (bug14918-[12].patch) apply cleanly to our package.
Comment 19 Buchan Milne 2021-12-08 08:04:02 CET
> There are actually 6 commits tagged with CVE-2020-25717 (which correspond to the commits listed in https://bugzilla.samba.org/show_bug.cgi?id=14901 as well as bug14901-*.patch in the Ubuntu update) and you only got the last of those 6.

1bd06f8cb357df0c3f3f25899cda38b6f842c659 The actual fix, which I included
8bed2c3f7a970dc8933a5215e2d9ba041c9a8759 Tests
f00c993f0c74de38d58766b1050bb13f78b42c9a May be worth pulling in, but not absolutely required
9bef6bc6cf027c3b61498b4944388940e23e7a1c Tests
ff3798418e8a77492d50dfd32deed4f11f7ba7ce Tests 
8ccb26c679ba0b909cbba654d00797f99580679f Tests


> There are also 7 commits tagged with CVE-2021-3670 (see https://bugzilla.samba.org/show_bug.cgi?id=14694 ) which we should also add.

This CVE wasn't previously listed in this bug, but I'll take a look.
Comment 20 Buchan Milne 2021-12-10 20:27:27 CET
> There are actually 6 commits tagged with CVE-2020-25717 (which correspond to the commits listed in https://bugzilla.samba.org/show_bug.cgi?id=14901 as well as bug14901-*.patch in the Ubuntu update) and you only got the last of those 6.

I've included all 6 patches in -1.1


> There are also 7 commits tagged with CVE-2021-3670 (see https://bugzilla.samba.org/show_bug.cgi?id=14694 ) which we should also add.

These are included in -1.1

> The commits for https://bugzilla.samba.org/show_bug.cgi?id=14918 are only in master but Ubuntu's backports for 4.13.x (bug14918-[12].patch) apply cleanly to our package.

1 of the 3 hunks conflicted and required some massaging to be included, but it's in -1.1

Packages (currently building on pkgsubmit, but builds fine locally):
samba-4.14.10-1.1.mga8
samba-client-4.14.10-1.1.mga8
samba-common-4.14.10-1.1.mga8
samba-dc-4.14.10-1.1.mga8
lib64samba-dc0-4.14.10-1.1.mga8
lib64kdc-samba4_2-4.14.10-1.1.mga8
lib64heimntlm-samba4_1-4.14.10-1.1.mga8
lib64samba-devel-4.14.10-1.1.mga8
samba-krb5-printing-4.14.10-1.1.mga8
lib64samba1-4.14.10-1.1.mga8
lib64smbclient0-4.14.10-1.1.mga8
lib64smbclient-devel-4.14.10-1.1.mga8
lib64wbclient0-4.14.10-1.1.mga8
lib64wbclient-devel-4.14.10-1.1.mga8
python3-samba-4.14.10-1.1.mga8
samba-test-4.14.10-1.1.mga8
lib64samba-test0-4.14.10-1.1.mga8
lib64samba-test-devel-4.14.10-1.1.mga8
samba-winbind-4.14.10-1.1.mga8
samba-winbind-clients-4.14.10-1.1.mga8
samba-winbind-krb5-locator-4.14.10-1.1.mga8
samba-winbind-modules-4.14.10-1.1.mga8
ctdb-4.14.10-1.1.mga8
ctdb-devel-4.14.10-1.1.mga8
David Walser 2021-12-10 20:28:59 CET

Keywords: feedback => (none)

Comment 21 Guillaume Royer 2021-12-11 20:47:14 CET
MGA XFCE 64 

Update samba with RPMs:

lib64kdc-samba4_2              4.14.10      1.1.mga8      x86_64  
lib64samba-dc0                 4.14.10      1.1.mga8      x86_64  
lib64samba1                    4.14.10      1.1.mga8      x86_64  
lib64smbclient0                4.14.10      1.1.mga8      x86_64  
lib64wbclient0                 4.14.10      1.1.mga8      x86_64  
python3-samba                  4.14.10      1.1.mga8      x86_64  
samba                          4.14.10      1.1.mga8      x86_64  
samba-client                   4.14.10      1.1.mga8      x86_64  
samba-common                   4.14.10      1.1.mga8      x86_64  
samba-winbind                  4.14.10      1.1.mga8      x86_64  
samba-winbind-modules          4.14.10      1.1.mga8      x86_64  

Mounting freebox server (frnch internet box) hard disk ok, 
copy and paste document ok, 
create document ok
I can't connect anonymously with Thunar while I could before the old version.

CC: (none) => guillaume.royer

Comment 22 Brian Rockwell 2021-12-12 01:55:40 CET
MGA8-32, Xfce 32bit, server

The following 17 packages are going to be installed:

- libkdc-samba4_2-4.14.10-1.1.mga8.i586
- libsamba-dc0-4.14.10-1.1.mga8.i586
- libsamba1-4.14.10-1.1.mga8.i586
- libsmbclient0-4.14.10-1.1.mga8.i586
- liburing1-0.7-2.mga8.i586
- libwbclient0-4.14.10-1.1.mga8.i586
- python3-ldb-2.3.2-1.mga8.i586
- python3-samba-4.14.10-1.1.mga8.i586
- python3-talloc-2.3.2-1.mga8.i586
- python3-tdb-1.4.3-1.mga8.i586
- python3-tevent-0.10.2-1.mga8.i586
- samba-4.14.10-1.1.mga8.i586
- samba-client-4.14.10-1.1.mga8.i586
- samba-common-4.14.10-1.1.mga8.i586
- samba-winbind-4.14.10-1.1.mga8.i586
- samba-winbind-clients-4.14.10-1.1.mga8.i586
- samba-winbind-modules-4.14.10-1.1.mga8.i586


- libpytalloc-util2-2.3.2-1.mga8.i586
- libtalloc2-2.3.2-1.mga8.i586


- ldb-utils-2.3.2-1.mga8.i586
- libldb2-2.3.2-1.mga8.i586
- libpyldb-util2-2.3.2-1.mga8.i586

---then went in and did all of the configuration stuff, setting up shares, users, and allowed IP's.

---reboot


I've exercised this pretty heavily with multiple clients and many GB of data movement.  No issues.

CC: (none) => brtians1

Brian Rockwell 2021-12-12 01:56:24 CET

Whiteboard: (none) => MGA8-32-OK

Comment 23 Herman Viaene 2021-12-14 15:15:45 CET
Wait a sec, what is this all about??? I see that Brian is testing the samba rpm's with the existing ldb stuff, not the new ones mentioned above. So what is needed to OK this update, only samba tested or the whole list from Comments 12and 13???

For the moment, I'll follow Brian, just samba.

CC: (none) => herman.viaene

Comment 24 Herman Viaene 2021-12-14 15:17:47 CET
Selecting list from Comment 20 in QARepo gives:
lib64samba-test-devel-4.14.10-1.1.mga8 not found in the remote repository
ctdb-devel-4.14.10-1.1.mga8 not found in the remote repository
Comment 25 David Walser 2021-12-14 15:52:51 CET
The packages in Comment 12 and 13 are all part of this update.  Don't cherry-pick.
Comment 26 David Walser 2021-12-14 15:54:29 CET
Also Brian did include the updated ldb packages in his test.
Comment 27 Herman Viaene 2021-12-14 16:11:35 CET
I am not questioning Brian's knowledge or goodwill, but he "cherry-pick"-ed from talloc and ldb, at  least what he shows in Comment 22, and none of the sssd stuff from Comment 13.
But OK, comment taken, I'll proceed on incorporating all in my test (not the debuginfo).
Comment 28 David Walser 2021-12-14 16:58:50 CET
No, Brian included the ldb and talloc updates in his test.

As for sssd, it can be tested independently of samba, but both require the ldb update as well.
Comment 29 David Walser 2021-12-14 22:31:11 CET
(In reply to David Walser from comment #14)
> There were apparently some regressions fixed in later commits upstream:
> https://ubuntu.com/security/notices/USN-5142-2

and yet another:
https://ubuntu.com/security/notices/USN-5142-3
https://bugzilla.samba.org/show_bug.cgi?id=14922
https://git.samba.org/samba.git/?p=samba.git;a=commit;h=b0d67dc3d42b81e5e35da26a333c4fcd67baab1f

Keywords: (none) => feedback

Comment 30 Buchan Milne 2021-12-15 21:34:45 CET
> and yet another:
> https://ubuntu.com/security/notices/USN-5142-3
> https://bugzilla.samba.org/show_bug.cgi?id=14922

Sanity has prevailed, and new releases are being made available.

The announcement email for 4.14.11 doesn't seem to be out, but it's tagged, release tarballs are out, and the changelog is up:

https://www.samba.org/samba/history/samba-4.14.11.html

I think it's best to ship this.

All of the patches we have are included in the release, except the one for https://bugzilla.samba.org/show_bug.cgi?id=14918, so I'm keeping that.

Currently building:

samba-4.14.11-1.mga8
samba-client-4.14.11-1.mga8
samba-common-4.14.11-1.mga8
samba-dc-4.14.11-1.mga8
lib64samba-dc0-4.14.11-1.mga8
lib64kdc-samba4_2-4.14.11-1.mga8
lib64heimntlm-samba4_1-4.14.11-1.mga8
lib64samba-devel-4.14.11-1.mga8
samba-krb5-printing-4.14.11-1.mga8
lib64samba1-4.14.11-1.mga8
lib64smbclient0-4.14.11-1.mga8
lib64smbclient-devel-4.14.11-1.mga8
lib64wbclient0-4.14.11-1.mga8
lib64wbclient-devel-4.14.11-1.mga8
python3-samba-4.14.11-1.mga8
samba-test-4.14.11-1.mga8
lib64samba-test0-4.14.11-1.mga8
lib64samba-test-devel-4.14.11-1.mga8
samba-winbind-4.14.11-1.mga8
samba-winbind-clients-4.14.11-1.mga8
samba-winbind-krb5-locator-4.14.11-1.mga8
samba-winbind-modules-4.14.11-1.mga8
ctdb-4.14.11-1.mga8
ctdb-devel-4.14.11-1.mga8
Comment 31 David Walser 2021-12-16 01:41:00 CET
Fantastic!

Keywords: feedback => (none)
Whiteboard: MGA8-32-OK => (none)

Comment 32 Herman Viaene 2021-12-16 15:50:19 CET
Followed david's recommendation and put all rpm's in QARepo(still omitting the debug ones
Got:
lib64samba-test-devel-4.14.11-1.mga8 not found in the remote repository
ctdb-devel-4.14.11-1.mga8 not found in the remote repository
talloc-2.3.2-1.mga8 not found in the remote repository
ldb-2.3.2-1.mga8 not found in the remote repository
Comment 33 David Walser 2021-12-16 19:01:31 CET
(In reply to Herman Viaene from comment #32)
> Followed david's recommendation and put all rpm's in QARepo(still omitting
> the debug ones
> Got:
> lib64samba-test-devel-4.14.11-1.mga8 not found in the remote repository
> ctdb-devel-4.14.11-1.mga8 not found in the remote repository
> talloc-2.3.2-1.mga8 not found in the remote repository
> ldb-2.3.2-1.mga8 not found in the remote repository

Indeed, I don't know where Buchan got his package lists from.

64-bit package list (excluding sssd which is in Comment 13) should be:
samba-test-4.14.11-1.mga8
samba-dc-4.14.11-1.mga8
samba-4.14.11-1.mga8
lib64samba1-4.14.11-1.mga8
ctdb-4.14.11-1.mga8
samba-client-4.14.11-1.mga8
samba-common-4.14.11-1.mga8
samba-winbind-4.14.11-1.mga8
lib64samba-dc0-4.14.11-1.mga8
lib64smbclient0-4.14.11-1.mga8
python3-samba-4.14.11-1.mga8
samba-winbind-clients-4.14.11-1.mga8
lib64kdc-samba4_2-4.14.11-1.mga8
lib64smbclient-devel-4.14.11-1.mga8
samba-winbind-modules-4.14.11-1.mga8
lib64wbclient0-4.14.11-1.mga8
lib64heimntlm-samba4_1-4.14.11-1.mga8
lib64samba-test0-4.14.11-1.mga8
lib64samba-devel-4.14.11-1.mga8
lib64wbclient-devel-4.14.11-1.mga8
samba-krb5-printing-4.14.11-1.mga8
samba-winbind-krb5-locator-4.14.11-1.mga8

ldb-utils-2.3.2-1.mga8
lib64ldb-devel-2.3.2-1.mga8
lib64ldb2-2.3.2-1.mga8
lib64pyldb-util-devel-2.3.2-1.mga8
lib64pyldb-util2-2.3.2-1.mga8
python3-ldb-2.3.2-1.mga8
lib64pytalloc-util-devel-2.3.2-1.mga8
lib64pytalloc-util2-2.3.2-1.mga8
lib64talloc-devel-2.3.2-1.mga8
lib64talloc2-2.3.2-1.mga8
python3-talloc-2.3.2-1.mga8
Comment 34 Herman Viaene 2021-12-17 11:36:45 CET
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Ref bug 27299 Comment 5 for testing
Made sure smb server is running
# systemctl start smb
# systemctl -l status smb
● smb.service - Samba SMB Daemon
     Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2021-12-17 11:28:01 CET; 3s ago
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
   Main PID: 12405 (smbd)
     Status: "smbd: ready to serve connections..."
      Tasks: 4 (limit: 9396)
     Memory: 7.2M
        CPU: 65ms
     CGroup: /system.slice/smb.service
             ├─12405 /usr/sbin/smbd --foreground --no-process-group
             ├─12411 /usr/sbin/smbd --foreground --no-process-group
             ├─12412 /usr/sbin/smbd --foreground --no-process-group
             └─12415 /usr/sbin/smbd --foreground --no-process-group

dec 17 11:28:01 mach5.hviaene.thuis systemd[1]: Starting Samba SMB Daemon...
dec 17 11:28:01 mach5.hviaene.thuis smbd[12405]: [2021/12/17 11:28:01.841716,  0] ../../lib/util/become_daemon.c:135(daemon_ready)
dec 17 11:28:01 mach5.hviaene.thuis smbd[12405]:   daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
dec 17 11:28:01 mach5.hviaene.thuis systemd[1]: Started Samba SMB Daemon.
Configure in MCC basic smb shares and user.

 Then as normal user, test connection to Samba server on my desktop PC:
$ smbclient  //mach1/herman -U herman
Enter SAMBATEST\herman's password: 
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
smb: \> pwd
Current directory is \\mach1\herman\
smb: \> ls
  .                                   D        0  Fri Dec 17 08:42:54 2021
  ..                                  D        0  Fri Jul 31 15:14:59 2020
  Viaene-2021-04-18-09-52-04.gramps      N   513054  Sun Apr 18 09:52:04 2021
  Viaene-2020-08-07-17-48-13.gramps      N   509508  Fri Aug  7 17:48:17 2020
  rpmbuild                            D        0  Sun Aug 16 11:16:34 2020
  idkaartherman.jpg                   N   235947  Thu Sep 23 17:27:46 2010
  Watteeuw-2020-08-29-14-22-33.gramps      N   678052  Sat Aug 29 14:22:37 2020
  kerst2015nedklein.ppsx              N  1514274  Fri Dec 25 20:05:05 2015
  .audacity-data                     DH        0  Tue Dec 14 08:53:04 2021
  .qareporc                           H      123  Fri Feb  5 15:51:00 2021
and a lot more.....

Repeated same smbclient test from my desktop PC to this new server, with similar results.
So samba is OK for me, but do we need to test the sssd functions in this same bug to be able to OK it ?????
Comment 35 David Walser 2021-12-17 15:25:52 CET
Yes, just a basic sssd test; it's just a rebuild against ldb so it should be fine.
Comment 36 Brian Rockwell 2021-12-17 16:09:58 CET
MGA8-32bit  on coal burning server

- Installed old version and configured it
- upgraded to 4.14.11  (using gui, it asked me to pick in my smb.conf file to use).  I chose to use the old.

restarted services

working

I'll look at sssd.
Comment 37 Brian Rockwell 2021-12-17 16:24:44 CET
MGA8-32bit

The following 24 packages are going to be installed:

- libdhash1-0.5.0-12.mga8.i586
- libipa_hbac-2.4.0-1.3.mga8.i586
- libnl-route3_200-3.5.0-2.mga8.i586
- libsasl2-plug-gssapi-2.1.27-3.mga8.i586
- libsmbclient0-4.14.11-1.mga8.i586
- libsss_autofs-2.4.0-1.3.mga8.i586
- libsss_certmap-2.4.0-1.3.mga8.i586
- libsss_idmap-2.4.0-1.3.mga8.i586
- libsss_nss_idmap-2.4.0-1.3.mga8.i586
- libsss_sudo-2.4.0-1.3.mga8.i586
- python3-sssdconfig-2.4.0-1.3.mga8.noarch
- sssd-2.4.0-1.3.mga8.i586
- sssd-ad-2.4.0-1.3.mga8.i586
- sssd-client-2.4.0-1.3.mga8.i586
- sssd-common-2.4.0-1.3.mga8.i586
- sssd-common-pac-2.4.0-1.3.mga8.i586
- sssd-dbus-2.4.0-1.3.mga8.i586
- sssd-ipa-2.4.0-1.3.mga8.i586
- sssd-krb5-2.4.0-1.3.mga8.i586
- sssd-krb5-common-2.4.0-1.3.mga8.i586
- sssd-ldap-2.4.0-1.3.mga8.i586
- sssd-nfs-idmap-2.4.0-1.3.mga8.i586
- sssd-proxy-2.4.0-1.3.mga8.i586
- sssd-winbind-idmap-2.4.0-1.3.mga8.i586

9.8MB of additional disk space will be used.



[root@localhost sssd]# cd conf.d
[root@localhost conf.d]# ls
[root@localhost conf.d]# vi sssd.conf
[root@localhost conf.d]# systemctl start sssd
[root@localhost conf.d]# ps -ef | grep sssd
root      5632     1  0 09:20 ?        00:00:00 /usr/sbin/sssd -i --logger=files
root      5633  5632  3 09:20 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
root      5636  5632  1 09:20 ?        00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root      5639  3213  0 09:20 pts/0    00:00:00 grep --color sssd
[root@localhost conf.d]# systemctl restart smb



I tried a couple of machines, I'm able to access samba and sssd is running on server.  I don't know much about it, so best I can do.
Comment 38 Herman Viaene 2021-12-20 13:44:48 CET
Rummaged around in the info of the sssd rpm's and found that indeed sssd provides for cifs utils, so testing samba working is a reassurance.
Found also sssd-tools and tested the sssctl in some aspects.

# systemctl -l status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-12-20 11:35:07 CET; 20min ago
   Main PID: 864 (sssd)
      Tasks: 3 (limit: 9396)
     Memory: 40.8M
        CPU: 307ms
     CGroup: /system.slice/sssd.service
             ├─ 864 /usr/sbin/sssd -i --logger=files
             ├─1012 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
             └─1045 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files

dec 20 11:35:00 mach5.hviaene.thuis systemd[1]: Starting System Security Services Daemon...
dec 20 11:35:05 mach5.hviaene.thuis sssd[864]: Starting up
dec 20 11:35:05 mach5.hviaene.thuis be[implicit_files][1012]: Starting up
dec 20 11:35:06 mach5.hviaene.thuis nss[1045]: Starting up
dec 20 11:35:07 mach5.hviaene.thuis systemd[1]: Started System Security Services Daemon.

# sssctl 
Usage:
sssctl COMMAND COMMAND-ARGS

Available commands:

SSSD Status:
* domain-list            List available domains
* domain-status          Print information about domain
* user-checks            Print information about a user and check authentication
* access-report          Generate access report for a domain

Information about cached content:
* user-show              Information about cached user
* group-show             Information about cached group
* netgroup-show          Information about cached netgroup

etc....

# sssctl domain-list
implicit_files

# sssctl user-checks tester8
user: tester8
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: tester8
 - user id: 1000
 - group id: 1000
 - gecos: Tester8
 - home directory: /home/tester8
 - shell: /bin/bash

SSSD InfoPipe user lookup result:
 - name: tester8
 - uidNumber: 1000
 - gidNumber: 1000
 - gecos: Tester8
 - homeDirectory: /home/tester8
 - loginShell: /bin/bash

testing pam_acct_mgmt

pam_acct_mgmt: Success

PAM Environment:
 - no env -

[root@mach5 ~]# sssctl config-check
File /etc/sssd/sssd.conf does not exist.
There is no configuration. SSSD will use default configuration with files provider.
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

@David: s that good enough as a test???
Comment 39 David Walser 2021-12-20 15:46:40 CET
Probably.  Thanks.
Herman Viaene 2021-12-20 15:54:18 CET

Whiteboard: (none) => MGA8-64-OK

Comment 40 Thomas Andrews 2021-12-20 18:58:53 CET
Comment 36 indicates it seems to be working on 32-bit too, though Brian did not restore the OK.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 41 Guillaume Royer 2021-12-23 19:54:02 CET
Since I updated samba from QA repo, I can't connect to my NAS freebox
server anonymously with Thunar.

Thunar asks me to identify myself while before I had choice to tick case
"Anonymous".

Other thing, when I mount (with cif-utils) NAS freebox server hard drive, I can't writ on it.
I can also read or copy files to my drive.

There are also 2 people of the French community who have a problem to mount the hard drive of their NAS.

Should I comment on the original report or open a new one?

https://www.mageialinux-online.org/forum/topic-29519+cifs-et-kernel-5-15-10-desktop-1-ko.php

https://ml.mageia.org/l/arc/discuss-fr/2021-12/msg00042.html
Comment 42 Dave Hodgins 2021-12-23 20:08:07 CET
Removing validated_update until comment 41 is resolved

CC: (none) => davidwhodgins
Keywords: validated_update => (none)

Comment 43 Thomas Andrews 2021-12-24 17:41:00 CET
Removing the OK, too.

Whiteboard: MGA8-64-OK => (none)

Comment 44 Dave Hodgins 2021-12-25 03:13:35 CET
Restoring the ok and validation as this is not a samba issue.

The problem with the NAS referred to by Brian Rockwell on the doc-discuss
mailing list with a link to
https://www.reddit.com/r/voidlinux/comments/r7g5gb/mountcifs_with_vers10_secntlm_and_kernel_515/
which links to
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c

The kernel has dropped support for des (insecure) encryption which used by
the smb ntlm security type.

Users affected by this have the choices:
- Updating the equipment with newer hardware that supports reasonably secure
encryption.
- Staying with kernel 5.10.78-1, which doesn't have latest kernel security
updates, so should be considered insecure.
- Possibly using a fuse kernel module to add back the des support (I haven't
looked into if this works).

Obviously the first option should be preferred, but if the second or third option
is chosen, probably safest to confine it to a virtual system.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Comment 45 Thomas Backlund 2021-12-25 15:31:20 CET
(In reply to Dave Hodgins from comment #44)

> 
> The kernel has dropped support for des (insecure) encryption which used by
> the smb ntlm security type.
> 

This is actually only cifs that has dropped the old ntlm support.


> Users affected by this have the choices:
> - Updating the equipment with newer hardware that supports reasonably secure
> encryption.
> - Staying with kernel 5.10.78-1, which doesn't have latest kernel security
> updates, so should be considered insecure.
> - Possibly using a fuse kernel module to add back the des support (I haven't
> looked into if this works).
> 

or wait for / test next kernel update 5.15.11-3.mga8 tracked in:
https://bugs.mageia.org/show_bug.cgi?id=29813

I dont like dropping base feature support (even if they are legacy) in a stable distro release if I can avoid it without too much extra painful work for me. 
so I've restored legacy NTLM support in cifs...

Note that this is only done for mga8. so there is still need for end-users to think about what to do for mga9 whenever that is...
Comment 46 Dave Hodgins 2021-12-25 19:37:22 CET
Guillaume, please see bug 29813 for the kernel update that's currently being
tested, which should fix the cifs issue.
Dave Hodgins 2021-12-25 23:29:14 CET

Keywords: (none) => advisory

Comment 47 Mageia Robot 2021-12-26 01:15:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0585.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 48 Guillaume Royer 2022-01-04 20:26:44 CET
It's seem that all issues are not solved samba update.

I always can't connect to my NAS freebox server anonymously with Thunar.

Thunar asks me to identify myself while before I had choice to tick case
"Anonymous".

I'm not alone in this case, a topic was open on French community forum MLO:

https://www.mageialinux-online.org/forum/topic-29542+plus-d-acces-a-freebox.php

This issue is upstream, you can see it this bug report:

https://bugzilla.samba.org/show_bug.cgi?id=14935

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 49 David Walser 2022-01-04 20:48:51 CET
Don't reopen bugs for pushed updates (unless not everything was pushed).

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED

Comment 50 Juergen Harms 2022-01-05 17:33:58 CET
This update did not fix all problems of mounting cifs file-systems, see https://bugs.mageia.org/show_bug.cgi?id=29240

CC: (none) => juergen.harms

Comment 51 David Walser 2022-02-10 21:55:58 CET
It looks like this update also fixed CVE-2020-17049 in the bundled Kerberos code, but it's a bit confusing to figure out exactly what code:
https://lists.suse.com/pipermail/sle-security-updates/2022-February/010209.html
https://bugzilla.redhat.com/show_bug.cgi?id=2025721
https://bugzilla.samba.org/show_bug.cgi?id=14642
Comment 52 Frédéric "LpSolit" Buclin 2022-07-16 21:46:27 CEST
(In reply to Buchan Milne from comment #12)
> I've submitted the following packages to core/updates_testing for 8:
> 
> * talloc-2.3.2-1.mga8

I don't get it: was talloc 2.3.2 supposed to be pushed too? Because it's still in core update testing. Maybe it should be nuked if not needed?
Comment 53 David Walser 2022-07-16 22:51:00 CEST
Yes it was.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 54 Dave Hodgins 2022-07-16 23:33:53 CEST
I missed it in the list when I committed the advisory to svn.
I've added it the svn advisory now, but as the update has been pushed, will
need a sysadmin to manually move talloc-2.3.2-1.mga8 from core updates testing
to core updates.
Comment 55 Thomas Backlund 2022-07-21 10:43:08 CEST
moved

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.