Jeremie Courreges-Anglas <j...@wxcvbn.org> writes:
> Jeremie Courreges-Anglas <j...@wxcvbn.org> writes:
>
>> Ian McWilliam <i.mcwill...@westernsydney.edu.au> writes:
>>
>>> Revision 1.219 / (download) - annotate - [select for diffs], Tue Apr 12
>>> 17:42:09 2016 UTC (4 months, 3 weeks ago) by jca
>>>
>>> Update to samba-4.3.6
>>>
>>> i386 build by danj@, ok sthen@
>>>
>>> The changelog between 4.1.23 and 4.3.6 is too big to be described here.
>>> The point of updating now is that 4.1.x won't receive updates for the
>>> freshly published security advisories. samba-4.3.8 will follow.
>>
>> This is indeed the commit that introduced the regression.
>>
>>>
>>> --without-acl-support \
>>>
>>> Was introduced in the 4.3.6 update just before the big Samba security
>>> update for
>>>
>>> CVE-2015-5370 (Multiple errors in DCE-RPC code)
>>> CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
>>> CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
>>> CVE-2016-2112 (LDAP client and server don't enforce integrity)
>>> CVE-2016-2113 (Missing TLS certificate validation)
>>> CVE-2016-2114 ("server signing = mandatory" not enforced)
>>> CVE-2016-2115 (SMB IPC traffic is not integrity protected)
>>> CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
>>>
>>> Now to work out the implications of re-enabling it.
>>
>> It's not directly related to ACLs. The root cause if that I stopped
>> telling the build system to build ntvfs support, by
>> removing --enable-selftest. The ntvfs code was supposedly disabled by
>> default last year for production builds. The funny thing is that it
>> doesn't show obvious problems at runtime, only at provisioning time.
>>
>> The fix below makes samba.is_ntvfs_fileserver_built() return True, and
>> makes --use-ntvfs visible again in samba-tool domain provision. There
>> are other problems later.
>
> So this enables provisioning.
>
> But then, if you try to start samba_ad_dc with the produced smb.conf,
> samba fails to start the 'smb' process, since it is not registered.
> Which means that source4/smb_server/service_smb.c is not baked in, even
> after adding --with-ntvfs-fileserver.
>
> Now, what happens if we just use the default "server services" and
> "dcerpc endpoint servers"? Just comment those lines in the config, and
> samba_ad_dc will start.
>
> testparm -s says:
>
> # Global parameters
> [global]
> realm = [redacted]
> workgroup = [redacted]
> dns forwarder = [redacted]
> passdb backend = samba_dsdb
> server role = active directory domain controller
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> posix:eadb = /var/samba/private/eadb.tdb
> idmap config * : backend = tdb
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr posix_eadb
>
> So samba automatically falls back to the appropriate vfs objects: ACLs
> stored as extended attributes and extended attributes stored in tdb.
> Which is pretty much what I discussed with upstream last year. Wheee.
>
> $ pstree -p 93971
> -+= 00001 root /sbin/init
> \-+= 93971 root /usr/local/sbin/samba -D
> |-+- 50774 root samba: task[s3fs_parent] (samba)
> | \-+= 47005 root /usr/local/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> | |--- 64933 root /usr/local/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> | |--- 73574 root /usr/local/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> | \--- 39362 root /usr/local/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
> |--- 42408 root samba: task[dcesrv] (samba)
> |--- 45857 root samba: task wrepl server_id[45857] (samba)
> |--- 05959 root samba: task[nbtd] (samba)
> |--- 88699 root samba: task[ldapsrv] (samba)
> |--- 83860 root samba: task[cldapd] (samba)
> |--- 72241 root samba: task[kdc] (samba)
> |--- 75053 root samba: task[dreplsrv] (samba)
> |-+- 31725 root samba: task[winbindd_parent] (samba)
> | \-+= 46653 root /usr/local/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> | \--- 85593 root /usr/local/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> |--- 37747 root samba: task[ntp_signd] (samba)
> |--- 70158 root samba: task[kccsrv] (samba)
> |--- 50086 root samba: task[dns] (samba)
> \--- 63568 root samba: task[dnsupdate] (samba)
>
> I have no windows machine at hand, so AD setup reports welcome.
The diff to make --use-ntvfs available again was committed. Test
reports still welcome.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
