Jeremie Courreges-Anglas <j...@wxcvbn.org> writes:
> Ian McWilliam <i.mcwill...@westernsydney.edu.au> writes:
>
>> Revision 1.219 / (download) - annotate - [select for diffs], Tue Apr 12
>> 17:42:09 2016 UTC (4 months, 3 weeks ago) by jca
>>
>> Update to samba-4.3.6
>>
>> i386 build by danj@, ok sthen@
>>
>> The changelog between 4.1.23 and 4.3.6 is too big to be described here.
>> The point of updating now is that 4.1.x won't receive updates for the
>> freshly published security advisories. samba-4.3.8 will follow.
>
> This is indeed the commit that introduced the regression.
>
>>
>> --without-acl-support \
>>
>> Was introduced in the 4.3.6 update just before the big Samba security update
>> for
>>
>> CVE-2015-5370 (Multiple errors in DCE-RPC code)
>> CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
>> CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
>> CVE-2016-2112 (LDAP client and server don't enforce integrity)
>> CVE-2016-2113 (Missing TLS certificate validation)
>> CVE-2016-2114 ("server signing = mandatory" not enforced)
>> CVE-2016-2115 (SMB IPC traffic is not integrity protected)
>> CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
>>
>> Now to work out the implications of re-enabling it.
>
> It's not directly related to ACLs. The root cause if that I stopped
> telling the build system to build ntvfs support, by
> removing --enable-selftest. The ntvfs code was supposedly disabled by
> default last year for production builds. The funny thing is that it
> doesn't show obvious problems at runtime, only at provisioning time.
>
> The fix below makes samba.is_ntvfs_fileserver_built() return True, and
> makes --use-ntvfs visible again in samba-tool domain provision. There
> are other problems later.
So this enables provisioning.
But then, if you try to start samba_ad_dc with the produced smb.conf,
samba fails to start the 'smb' process, since it is not registered.
Which means that source4/smb_server/service_smb.c is not baked in, even
after adding --with-ntvfs-fileserver.
Now, what happens if we just use the default "server services" and
"dcerpc endpoint servers"? Just comment those lines in the config, and
samba_ad_dc will start.
testparm -s says:
# Global parameters
[global]
realm = [redacted]
workgroup = [redacted]
dns forwarder = [redacted]
passdb backend = samba_dsdb
server role = active directory domain controller
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
posix:eadb = /var/samba/private/eadb.tdb
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr posix_eadb
So samba automatically falls back to the appropriate vfs objects: ACLs
stored as extended attributes and extended attributes stored in tdb.
Which is pretty much what I discussed with upstream last year. Wheee.
$ pstree -p 93971
-+= 00001 root /sbin/init
\-+= 93971 root /usr/local/sbin/samba -D
|-+- 50774 root samba: task[s3fs_parent] (samba)
| \-+= 47005 root /usr/local/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
| |--- 64933 root /usr/local/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
| |--- 73574 root /usr/local/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
| \--- 39362 root /usr/local/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
|--- 42408 root samba: task[dcesrv] (samba)
|--- 45857 root samba: task wrepl server_id[45857] (samba)
|--- 05959 root samba: task[nbtd] (samba)
|--- 88699 root samba: task[ldapsrv] (samba)
|--- 83860 root samba: task[cldapd] (samba)
|--- 72241 root samba: task[kdc] (samba)
|--- 75053 root samba: task[dreplsrv] (samba)
|-+- 31725 root samba: task[winbindd_parent] (samba)
| \-+= 46653 root /usr/local/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
| \--- 85593 root /usr/local/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
|--- 37747 root samba: task[ntp_signd] (samba)
|--- 70158 root samba: task[kccsrv] (samba)
|--- 50086 root samba: task[dns] (samba)
\--- 63568 root samba: task[dnsupdate] (samba)
I have no windows machine at hand, so AD setup reports welcome.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
