Jeremie Courreges-Anglas <j...@wxcvbn.org> writes: > Ian McWilliam <i.mcwill...@westernsydney.edu.au> writes: > >> Revision 1.219 / (download) - annotate - [select for diffs], Tue Apr 12 >> 17:42:09 2016 UTC (4 months, 3 weeks ago) by jca >> >> Update to samba-4.3.6 >> >> i386 build by danj@, ok sthen@ >> >> The changelog between 4.1.23 and 4.3.6 is too big to be described here. >> The point of updating now is that 4.1.x won't receive updates for the >> freshly published security advisories. samba-4.3.8 will follow. > > This is indeed the commit that introduced the regression. > >> >> --without-acl-support \ >> >> Was introduced in the 4.3.6 update just before the big Samba security update >> for >> >> CVE-2015-5370 (Multiple errors in DCE-RPC code) >> CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) >> CVE-2016-2111 (NETLOGON Spoofing Vulnerability) >> CVE-2016-2112 (LDAP client and server don't enforce integrity) >> CVE-2016-2113 (Missing TLS certificate validation) >> CVE-2016-2114 ("server signing = mandatory" not enforced) >> CVE-2016-2115 (SMB IPC traffic is not integrity protected) >> CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) >> >> Now to work out the implications of re-enabling it. > > It's not directly related to ACLs. The root cause if that I stopped > telling the build system to build ntvfs support, by > removing --enable-selftest. The ntvfs code was supposedly disabled by > default last year for production builds. The funny thing is that it > doesn't show obvious problems at runtime, only at provisioning time. > > The fix below makes samba.is_ntvfs_fileserver_built() return True, and > makes --use-ntvfs visible again in samba-tool domain provision. There > are other problems later.
So this enables provisioning. But then, if you try to start samba_ad_dc with the produced smb.conf, samba fails to start the 'smb' process, since it is not registered. Which means that source4/smb_server/service_smb.c is not baked in, even after adding --with-ntvfs-fileserver. Now, what happens if we just use the default "server services" and "dcerpc endpoint servers"? Just comment those lines in the config, and samba_ad_dc will start. testparm -s says: # Global parameters [global] realm = [redacted] workgroup = [redacted] dns forwarder = [redacted] passdb backend = samba_dsdb server role = active directory domain controller rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true posix:eadb = /var/samba/private/eadb.tdb idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr posix_eadb So samba automatically falls back to the appropriate vfs objects: ACLs stored as extended attributes and extended attributes stored in tdb. Which is pretty much what I discussed with upstream last year. Wheee. $ pstree -p 93971 -+= 00001 root /sbin/init \-+= 93971 root /usr/local/sbin/samba -D |-+- 50774 root samba: task[s3fs_parent] (samba) | \-+= 47005 root /usr/local/sbin/smbd -D --option=server role check:inhibit=yes --foreground | |--- 64933 root /usr/local/sbin/smbd -D --option=server role check:inhibit=yes --foreground | |--- 73574 root /usr/local/sbin/smbd -D --option=server role check:inhibit=yes --foreground | \--- 39362 root /usr/local/sbin/smbd -D --option=server role check:inhibit=yes --foreground |--- 42408 root samba: task[dcesrv] (samba) |--- 45857 root samba: task wrepl server_id[45857] (samba) |--- 05959 root samba: task[nbtd] (samba) |--- 88699 root samba: task[ldapsrv] (samba) |--- 83860 root samba: task[cldapd] (samba) |--- 72241 root samba: task[kdc] (samba) |--- 75053 root samba: task[dreplsrv] (samba) |-+- 31725 root samba: task[winbindd_parent] (samba) | \-+= 46653 root /usr/local/sbin/winbindd -D --option=server role check:inhibit=yes --foreground | \--- 85593 root /usr/local/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |--- 37747 root samba: task[ntp_signd] (samba) |--- 70158 root samba: task[kccsrv] (samba) |--- 50086 root samba: task[dns] (samba) \--- 63568 root samba: task[dnsupdate] (samba) I have no windows machine at hand, so AD setup reports welcome. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE