Bug 7826 - [UPDATE REQUEST 2016.1] samba 4.6.8
: [UPDATE REQUEST 2016.1] samba 4.6.8
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
Depends on:
  Show dependency treegraph
Reported: 2017-03-31 06:53 MSD by Алзим
Modified: 2017-10-24 14:51 MSD (History)
3 users (show)

See Also:
RPM Package:
Bad POT generating:
vladimir.potapov: qa_verified+
andrey.bondrov: published+


Note You need to log in before you can comment on or make changes to this bug.
Description Алзим 2017-03-31 06:53:28 MSD
Обновилась Самба
Comment 2 Vladimir Potapov 2017-03-31 20:07:47 MSD
systemctl status samba.service 
● samba.service - Samba AD Daemon
   Loaded: loaded (/lib/systemd/system/samba.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Пт 2017-03-31 23:55:36 +08; 11s ago
  Process: 17044 ExecStart=/usr/sbin/samba $SAMBAOPTIONS (code=exited, status=1/FAILURE)
 Main PID: 17044 (code=exited, status=1/FAILURE)
   Status: "daemon failed to start: Samba detected misconfigured 'server role' and exited. Check logs for details"
    Error: 22 (Недопустимый аргумент)                                                                                                                                                                              
мар 31 23:55:36 tt-test-kder systemd[1]: Starting Samba AD Daemon...                                                                                                                                               
мар 31 23:55:36 tt-test-kder systemd[1]: samba.service: Supervising process 17044 which is not our child. We'll most likely not notice when it exits.                                                              
мар 31 23:55:36 tt-test-kder systemd[1]: samba.service: Main process exited, code=exited, status=1/FAILURE                                                                                                         
мар 31 23:55:36 tt-test-kder systemd[1]: Failed to start Samba AD Daemon.                                                                                                                                          
мар 31 23:55:36 tt-test-kder systemd[1]: samba.service: Unit entered failed state.                                                                                                                                 
мар 31 23:55:36 tt-test-kder systemd[1]: samba.service: Failed with result 'exit-code'.
Comment 3 Vladimir Potapov 2017-03-31 20:10:09 MSD
в KDE4 не работает расшаривание папок на компьютере.
Comment 4 Vladimir Potapov 2017-03-31 20:47:47 MSD
(In reply to comment #3)
> в KDE4 не работает расшаривание папок на компьютере.
в плазме тоже. Может, попробовать версию 4.5.7? Она должна быть более отработана.
Comment 5 Vladimir Potapov 2017-04-05 13:55:59 MSD
Sharing folders don't work
QA Denied
Comment 6 Zombie Ryushu 2017-04-07 16:26:32 MSD
Samba 4.3.x is confirmed to be Broken in AD Mode on Rosa 2014.1. It throws a Python error:

ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to parse dn string
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 136, in run
    controls=controls, attrs=attrs)
  File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 138, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 1389, in check_object
       expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))

Like this,
Comment 7 Vladimir Potapov 2017-04-07 18:16:01 MSD
It's 2016.1
Comment 8 Zombie Ryushu 2017-04-07 18:20:38 MSD
Still. Samba is broken on both. I'm trying to come up with a fix for both.
Comment 9 Zombie Ryushu 2017-04-07 18:29:08 MSD
By the way, the current version is 4.6.2.
Comment 10 Алзим 2017-04-09 12:30:23 MSD
Updated to 4.6.1

Comment 11 Zombie Ryushu 2017-04-09 12:51:38 MSD
There is still an outstanding CVE and I have produced an Alternative 4.3.13 Build.
Comment 12 Vladimir Potapov 2017-04-10 08:17:57 MSD
(In reply to comment #10)
> 2016.1
> Updated to 4.6.1
> https://abf.io/build_lists/2868411
> https://abf.io/build_lists/2868412
Samba shares not work :-(
QA Denied
Comment 13 Zombie Ryushu 2017-04-10 08:55:02 MSD
What about my update/pull request?
Comment 14 Zombie Ryushu 2017-04-25 18:41:49 MSD
Changes since 4.6.2:

o  Michael Adam <obnox@samba.org>
   * BUG 12743: s3:vfs:shadow_copy2: vfs_shadow_copy2 fails to list snapshots
     from shares with GlusterFS backend.

o  Jeremy Allison <jra@samba.org>
   * BUG 12559: Fix for Solaris C compiler.
   * BUG 12628: s3: locking: Update oplock optimization for the leases era.
   * BUG 12693: Make the Solaris C compiler happy.
   * BUG 12695: s3: libgpo: Allow skipping GPO objects that don't have the
     expected LDAP attributes.
   * BUG 12747: Fix buffer overflow caused by wrong use of getgroups.

o  Hanno Boeck <hanno@hboeck.de>
   * BUG 12746: lib: debug: Avoid negative array access.
   * BUG 12748: cleanupdb: Fix a memory read error.

o  Ralph Boehme <slow@samba.org>
   * BUG 7537: streams_xattr and kernel oplocks results in
   * BUG 11961: winbindd: idmap_autorid allocates ids for unknown SIDs from other
   * BUG 12565: vfs_fruit: Resource fork open request with
   * BUG 12615: manpages/vfs_fruit: Document global options.
   * BUG 12624: lib/pthreadpool: Fix a memory leak.
   * BUG 12727: Lookup-domain for well-known SIDs on a DC.
   * BUG 12728: winbindd: Fix error handling in rpc_lookup_sids().
   * BUG 12729: winbindd: Trigger possible passdb_dsdb initialisation.

o  Alexander Bokovoy <ab@samba.org>
   * BUG 12611: credentials_krb5: use gss_acquire_cred for client-side GSSAPI
     use case.
   * BUG 12690: lib/crypto: Implement samba.crypto Python module for RC4.

o  Amitay Isaacs <amitay@gmail.com>
   * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to
   * BUG 12723: ctdb_event monitor command crashes if event is not specified.
   * BUG 12733: ctdb-docs: Fix documentation of "-n" option to 'ctdb tool'.

o  Volker Lendecke <vl@samba.org>
   * BUG 12558: smbd: Fix smb1 findfirst with DFS.
   * BUG 12610: smbd: Do an early exit on negprot failure.
   * BUG 12699: winbindd: Fix substitution for 'template homedir'.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 12554: s4:kdc: Disable principal based autodetected referral detection.
   * BUG 12613: idmap_autorid: Allocate new domain range if the callers knows
     the sid is valid.
   * BUG 12724: LINKFLAGS_PYEMBED should not contain -L/some/path.
   * BUG 12725: PAM auth with WBFLAG_PAM_GET_PWD_POLICY returns wrong policy for
     trusted domain.
   * BUG 12731: rpcclient: Allow -U'OTHERDOMAIN\user' again.

o  Christof Schmitt <cs@samba.org>
   * BUG 12725: winbindd: Fix password policy for pam authentication.

o  Andreas Schneider <asn@samba.org>
   * BUG 12554: s3:gse: Correctly handle external trusts with MIT.
   * BUG 12611: auth/credentials: Always set the realm if we set the principal
     from the ccache.
   * BUG 12686: replace: Include sysmacros.h.
   * BUG 12687: s3:vfs_expand_msdfs: Do not open the remote address as a file.
   * BUG 12704: s3:libsmb: Only print error message if kerberos use is forced.
   * BUG 12708: winbindd: Child process crashes when kerberos-authenticating
     a user with wrong password.

o  Uri Simchoni <uri@samba.org>
   * BUG 12715: vfs_fruit: Office document opens as read-only on macOS due to
     CNID semantics.
   * BUG 12737: vfs_acl_xattr: Fix failure to get ACL on Linux if memory is
Comment 15 Andrey Bondrov 2017-04-27 17:42:23 MSD
(In reply to comment #1)
> 2016.1
> Updated to 4.6.1
> ldb
> https://abf.io/build_lists/2864472
> https://abf.io/build_lists/2864473
> tevent
> https://abf.io/build_lists/2864456
> https://abf.io/build_lists/2864457
> talloc
> https://abf.io/build_lists/2864450
> https://abf.io/build_lists/2864451
> tdb
> https://abf.io/build_lists/2864463
> https://abf.io/build_lists/2864462

Please test these libraries with current Samba. Likely we can publish them before containers expire.
Comment 17 Vladimir Potapov 2017-05-04 13:31:06 MSD
Old samba not work with updated libraries :-(
QA Denied
Comment 18 Andrey Bondrov 2017-05-04 15:45:42 MSD
(In reply to comment #17)
> Old samba not work with updated libraries :-(

Does it segfault or something else?
Comment 19 Vladimir Potapov 2017-05-05 12:57:01 MSD
(In reply to comment #18)
> (In reply to comment #17)
> > Old samba not work with updated libraries :-(
> Does it segfault or something else?
sharing files not work
Comment 20 Andrey Bondrov 2017-05-05 13:00:39 MSD
(In reply to comment #19)
> > Does it segfault or something else?
> sharing files not work

Can you please try to update packages one by one in this order:
1. talloc
2. tdb
3. tevent
4. ldb

To find the library that breaks sharing?
Comment 21 Zombie Ryushu 2017-05-22 18:08:30 MSD
If we can't build Samba 4.6.x, lets try at the very least Samba 4.5.9 or 4.3.13.
Comment 22 Zombie Ryushu 2017-05-25 01:28:12 MSD
Package        : samba
CVE ID         : CVE-2017-7494

steelo discovered a remote code execution vulnerability in Samba, a
SMB/CIFS file, print, and login server for Unix. A malicious client with
access to a writable share, can take advantage of this flaw by uploading
a shared library and then cause the server to load and execute it.

For the stable distribution (jessie), this problem has been fixed in
version 2:4.2.14+dfsg-0+deb8u6.

We recommend that you upgrade your samba packages.
Comment 23 Zombie Ryushu 2017-06-09 05:57:06 MSD
Changes since 4.6.4:

o  Jeremy Allison <jra@samba.org>
   * BUG 12804: s3: VFS: Catia: Ensure path name is also converted.

o  Christian Ambach <ambi@samba.org>
   * BUG 12765: s3:smbcacls add prompt for password.

o  Ralph Boehme <slow@samba.org>
   * BUG 12562: vfs_acl_xattr|tdb: Ensure create mask is at least 0666 if
     ignore_system_acls is set.
   * BUG 12702: Wrong sid->uid mapping for SIDs residing in sIDHistory.
   * BUG 12749: vfs_fruit: lp_case_sensitive() does not return a bool.
   * BUG 12766: s3/smbd: Update exclusive oplock optimisation to the lease area.
   * BUG 12798: s3/smbd: Fix exclusive lease optimisation.

o  Alexander Bokovoy <ab@samba.org>
   * BUG 12751: Allow passing trusted domain password as plain-text to PASSDB
   * BUG 12764: systemd: Fix detection of libsystemd.

o  Amitay Isaacs <amitay@gmail.com>
   * BUG 12697: ctdb-readonly: Avoid a tight loop waiting for revoke to
   * BUG 12770: ctdb-logging: Initialize DEBUGLEVEL before changing the value.

o  Shilpa Krishnareddy <skrishnareddy@panzura.com>
   * BUG 12756: notify: Fix ordering of events in notifyd.

o  Volker Lendecke <vl@samba.org>
   * BUG 12757: idmap_rfc2307: Lookup of more than two SIDs fails.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 12767: samba-tool: Let 'samba-tool user syncpasswords' report deletions

o  Doug Nazar <nazard@nazar.ca>
   * BUG 12760: s3: smbd: inotify_map_mask_to_filter incorrectly indexes an

o  Andreas Schneider <asn@samba.org>
   * BUG 12687: vfs_expand_msdfs tries to open the remote address as a file

o  Martin Schwenke <martin@meltin.net>
   * BUG 12802: 'ctdb nodestatus' incorrectly displays status for all nodes with
     wrong exit code.
   * BUG 12
Comment 24 Zombie Ryushu 2017-09-04 05:17:37 MSD

It was discovered that CVS, a centralised version control system, did not
correctly handle maliciously constructed repository URLs, which allowed an
attacker to run an arbitrary shell command (CVE-2017-12836).
Comment 25 Zombie Ryushu 2017-09-04 05:20:19 MSD
*** Bug 7367 has been marked as a duplicate of this bug. ***
Comment 27 Zombie Ryushu 2017-09-09 04:37:53 MSD
There appears to be a QA Problem with the build produced.
ldb failed its tests, and as a result of this, Samba erroneously built againast ldb_version 1.1.25 instead of 1.1.29. Samba is unable to start because of it. Please fix ldb 1.1.29.
Comment 28 Zombie Ryushu 2017-09-09 13:17:45 MSD
sssd must be recmpiled. an ldb module will crash if sssd is not recompiled.
Comment 29 Zombie Ryushu 2017-09-20 12:51:30 MSD
Samba 4.6.8, 4.5.14 and 4.4.16 Security Releases Available

This is a security release in order to address the following defects:

    CVE-2017-12150 (SMB1/2/3 connections may not require signing where they should)
    CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects)
    CVE-2017-12163 (CVE-2017-12163 (Server memory information leak over SMB1) 

The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).
The 4.6.8 source code can be downloaded now. A patch against Samba 4.6.7 is also available. See the 4.6.8 release notes for more info.
The 4.5.14 source code can be downloaded now. A patch against Samba 4.5.13 is also available. See the 4.5.14 release notes for more info.
The 4.4.16 source code can be downloaded now. A patch against Samba 4.4.15 is also available. See the 4.4.16 release notes for more info.
Comment 31 Vladimir Potapov 2017-10-09 08:46:42 MSD
The update is sent to expanded testing
Comment 32 Vladimir Potapov 2017-10-24 12:49:21 MSD





************************ Advisory ***********************
Updated to samba 4.6.8
QA Verified