Jeremie Courreges-Anglas <j...@wxcvbn.org> writes: > Jeremie Courreges-Anglas <j...@wxcvbn.org> writes: > >> Ian McWilliam <i.mcwill...@westernsydney.edu.au> writes: >> >>> Revision 1.219 / (download) - annotate - [select for diffs], Tue Apr 12 >>> 17:42:09 2016 UTC (4 months, 3 weeks ago) by jca >>> >>> Update to samba-4.3.6 >>> >>> i386 build by danj@, ok sthen@ >>> >>> The changelog between 4.1.23 and 4.3.6 is too big to be described here. >>> The point of updating now is that 4.1.x won't receive updates for the >>> freshly published security advisories. samba-4.3.8 will follow. >> >> This is indeed the commit that introduced the regression. >> >>> >>> --without-acl-support \ >>> >>> Was introduced in the 4.3.6 update just before the big Samba security >>> update for >>> >>> CVE-2015-5370 (Multiple errors in DCE-RPC code) >>> CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP) >>> CVE-2016-2111 (NETLOGON Spoofing Vulnerability) >>> CVE-2016-2112 (LDAP client and server don't enforce integrity) >>> CVE-2016-2113 (Missing TLS certificate validation) >>> CVE-2016-2114 ("server signing = mandatory" not enforced) >>> CVE-2016-2115 (SMB IPC traffic is not integrity protected) >>> CVE-2016-2118 (SAMR and LSA man in the middle attacks possible) >>> >>> Now to work out the implications of re-enabling it. >> >> It's not directly related to ACLs. The root cause if that I stopped >> telling the build system to build ntvfs support, by >> removing --enable-selftest. The ntvfs code was supposedly disabled by >> default last year for production builds. The funny thing is that it >> doesn't show obvious problems at runtime, only at provisioning time. >> >> The fix below makes samba.is_ntvfs_fileserver_built() return True, and >> makes --use-ntvfs visible again in samba-tool domain provision. There >> are other problems later. > > So this enables provisioning. > > But then, if you try to start samba_ad_dc with the produced smb.conf, > samba fails to start the 'smb' process, since it is not registered. > Which means that source4/smb_server/service_smb.c is not baked in, even > after adding --with-ntvfs-fileserver. > > Now, what happens if we just use the default "server services" and > "dcerpc endpoint servers"? Just comment those lines in the config, and > samba_ad_dc will start. > > testparm -s says: > > # Global parameters > [global] > realm = [redacted] > workgroup = [redacted] > dns forwarder = [redacted] > passdb backend = samba_dsdb > server role = active directory domain controller > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > posix:eadb = /var/samba/private/eadb.tdb > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr posix_eadb > > So samba automatically falls back to the appropriate vfs objects: ACLs > stored as extended attributes and extended attributes stored in tdb. > Which is pretty much what I discussed with upstream last year. Wheee. > > $ pstree -p 93971 > -+= 00001 root /sbin/init > \-+= 93971 root /usr/local/sbin/samba -D > |-+- 50774 root samba: task[s3fs_parent] (samba) > | \-+= 47005 root /usr/local/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > | |--- 64933 root /usr/local/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > | |--- 73574 root /usr/local/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > | \--- 39362 root /usr/local/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > |--- 42408 root samba: task[dcesrv] (samba) > |--- 45857 root samba: task wrepl server_id[45857] (samba) > |--- 05959 root samba: task[nbtd] (samba) > |--- 88699 root samba: task[ldapsrv] (samba) > |--- 83860 root samba: task[cldapd] (samba) > |--- 72241 root samba: task[kdc] (samba) > |--- 75053 root samba: task[dreplsrv] (samba) > |-+- 31725 root samba: task[winbindd_parent] (samba) > | \-+= 46653 root /usr/local/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > | \--- 85593 root /usr/local/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > |--- 37747 root samba: task[ntp_signd] (samba) > |--- 70158 root samba: task[kccsrv] (samba) > |--- 50086 root samba: task[dns] (samba) > \--- 63568 root samba: task[dnsupdate] (samba) > > I have no windows machine at hand, so AD setup reports welcome.
The diff to make --use-ntvfs available again was committed. Test reports still welcome. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE