Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: stretch Severity: normal
Hello stable release team, I want to upload a new version of samba on top of current stretch-security (2:4.5.12+dfsg-2+deb9u4). The changelog is: samba (2:4.5.16+dfsg-1) UNRELEASED; urgency=medium * New upstream release (latest 4.5.x) - Drop merged patches * Fix CVE-2018-14629 regression when there're more than 20 records on a non CNAME record. * Fix rmdir on non-empty samba directory (Closes: #915248) * Ignore nmbd start errors when there is no non-loopback interface (Closes: #893762) * Ignore nmbd start errors when there is no local IPv4 non-loopback interface (Closes: #859526) * s3:ntlm_auth: fix memory leak in manage_gensec_request() (Closes: #919611) -- Mathieu Parent <sath...@debian.org> Fri, 18 Jan 2019 07:35:15 +0100 The upstream changes are summarized in: https://www.samba.org/samba/history/samba-4.5.13.html The complete diff is too big, but can be obtained from the git repo: git diff 9014cb5484b9fe550ce6547e05135626fbd5d179..faa8dd2a11501e75fee2aeeae4e943b0b17aa38c See the attached diff of the debian directory. I will 'dch --release' before upload. Is the version numbering correct? Should I use stretch or stretch-security as dist? Regards Mathieu Parent
diff --git a/debian/changelog b/debian/changelog index bbd5b90d9a3..a2f86eff095 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +samba (2:4.5.16+dfsg-1) UNRELEASED; urgency=medium + + * New upstream release (latest 4.5.x) + - Drop merged patches + * Fix CVE-2018-14629 regression when there're more than 20 records on a non + CNAME record. + * Fix rmdir on non-empty samba directory (Closes: #915248) + * Ignore nmbd start errors when there is no non-loopback interface + (Closes: #893762) + * Ignore nmbd start errors when there is no local IPv4 non-loopback interface + (Closes: #859526) + * s3:ntlm_auth: fix memory leak in manage_gensec_request() (Closes: #919611) + + -- Mathieu Parent <sath...@debian.org> Fri, 18 Jan 2019 07:35:15 +0100 + samba (2:4.5.12+dfsg-2+deb9u4) stretch-security; urgency=high * New upstream security release diff --git a/debian/patches/CVE-2018-14629-v4-5.patch b/debian/patches/CVE-2018-14629-v4-5.patch index 5b1c52b30cc..79d8cf76666 100644 --- a/debian/patches/CVE-2018-14629-v4-5.patch +++ b/debian/patches/CVE-2018-14629-v4-5.patch @@ -191,3 +191,284 @@ index bef21f6bdaf..51a86198b54 100644 -- 2.11.0 +From 6c73a2b3d77115d69f99baa2452d6539c697fc3b Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <me...@samba.org> +Date: Wed, 28 Nov 2018 15:21:56 +0100 +Subject: [PATCH 1/2] CVE-2018-14629 dns: fix CNAME loop prevention using + counter regression + +The loop prevention should only be done for CNAME records! + +Otherwise we truncate the answer records for A, AAAA or +SRV queries, which is a bad idea if you have more than 20 DCs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +--- + source4/dns_server/dns_query.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c +index 0c26f9f8fb5..19c4dc32faa 100644 +--- a/source4/dns_server/dns_query.c ++++ b/source4/dns_server/dns_query.c +@@ -439,7 +439,8 @@ static struct tevent_req *handle_authoritative_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct dns_server *dns, const char *forwarder, + struct dns_name_question *question, +- struct dns_res_rec **answers, struct dns_res_rec **nsrecs); ++ struct dns_res_rec **answers, struct dns_res_rec **nsrecs, ++ size_t cname_depth); + static WERROR handle_authoritative_recv(struct tevent_req *req); + + struct handle_dnsrpcrec_state { +@@ -455,7 +456,8 @@ static struct tevent_req *handle_dnsrpcrec_send( + struct dns_server *dns, const char *forwarder, + const struct dns_name_question *question, + struct dnsp_DnssrvRpcRecord *rec, +- struct dns_res_rec **answers, struct dns_res_rec **nsrecs) ++ struct dns_res_rec **answers, struct dns_res_rec **nsrecs, ++ size_t cname_depth) + { + struct tevent_req *req, *subreq; + struct handle_dnsrpcrec_state *state; +@@ -471,7 +473,7 @@ static struct tevent_req *handle_dnsrpcrec_send( + state->answers = answers; + state->nsrecs = nsrecs; + +- if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { ++ if (cname_depth >= MAX_Q_RECURSION_DEPTH) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } +@@ -516,7 +518,8 @@ static struct tevent_req *handle_dnsrpcrec_send( + if (dns_authoritative_for_zone(dns, new_q->name)) { + subreq = handle_authoritative_send( + state, ev, dns, forwarder, new_q, +- state->answers, state->nsrecs); ++ state->answers, state->nsrecs, ++ cname_depth + 1); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } +@@ -600,6 +603,8 @@ struct handle_authoritative_state { + + struct dns_res_rec **answers; + struct dns_res_rec **nsrecs; ++ ++ size_t cname_depth; + }; + + static void handle_authoritative_done(struct tevent_req *subreq); +@@ -608,7 +613,8 @@ static struct tevent_req *handle_authoritative_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct dns_server *dns, const char *forwarder, + struct dns_name_question *question, +- struct dns_res_rec **answers, struct dns_res_rec **nsrecs) ++ struct dns_res_rec **answers, struct dns_res_rec **nsrecs, ++ size_t cname_depth) + { + struct tevent_req *req, *subreq; + struct handle_authoritative_state *state; +@@ -626,6 +632,7 @@ static struct tevent_req *handle_authoritative_send( + state->forwarder = forwarder; + state->answers = answers; + state->nsrecs = nsrecs; ++ state->cname_depth = cname_depth; + + werr = dns_name2dn(dns, state, question->name, &dn); + if (tevent_req_werror(req, werr)) { +@@ -647,7 +654,8 @@ static struct tevent_req *handle_authoritative_send( + subreq = handle_dnsrpcrec_send( + state, state->ev, state->dns, state->forwarder, + state->question, &state->recs[state->recs_done], +- state->answers, state->nsrecs); ++ state->answers, state->nsrecs, ++ state->cname_depth); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } +@@ -679,7 +687,8 @@ static void handle_authoritative_done(struct tevent_req *subreq) + subreq = handle_dnsrpcrec_send( + state, state->ev, state->dns, state->forwarder, + state->question, &state->recs[state->recs_done], +- state->answers, state->nsrecs); ++ state->answers, state->nsrecs, ++ state->cname_depth); + if (tevent_req_nomem(subreq, req)) { + return; + } +@@ -1010,7 +1019,8 @@ struct tevent_req *dns_server_process_query_send( + + subreq = handle_authoritative_send( + state, ev, dns, (forwarders == NULL ? NULL : forwarders[0]), +- &in->questions[0], &state->answers, &state->nsrecs); ++ &in->questions[0], &state->answers, &state->nsrecs, ++ 0); /* cname_depth */ + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } +@@ -1112,7 +1122,8 @@ static void dns_server_process_query_got_auth(struct tevent_req *subreq) + subreq = handle_authoritative_send(state, state->ev, state->dns, + state->forwarders->forwarder, + state->question, &state->answers, +- &state->nsrecs); ++ &state->nsrecs, ++ 0); /* cname_depth */ + + if (tevent_req_nomem(subreq, req)) { + return; +-- +2.19.2 + + +From 77fac10d0171b731bce38e5596928b6d618ed4d8 Mon Sep 17 00:00:00 2001 +From: Aaron Haslett <aaronhasl...@catalyst.net.nz> +Date: Fri, 30 Nov 2018 18:37:27 +1300 +Subject: [PATCH 2/2] CVE-2018-14629: Tests to expose regression from dns cname + loop fix + +These tests expose the regression described by Stefan Metzmacher in +discussion on the bugzilla paged linked below. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 +Signed-off-by: Aaron Haslett <aaronhasl...@catalyst.net.nz> +--- + python/samba/tests/dns.py | 97 +++++++++++++++++++++++++++++++++++++++ + selftest/knownfail.d/dns | 14 +++++- + 2 files changed, 109 insertions(+), 2 deletions(-) + +diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py +index 102269c7156..65e4a3b0b3f 100644 +--- a/python/samba/tests/dns.py ++++ b/python/samba/tests/dns.py +@@ -918,6 +918,103 @@ class TestComplexQueries(DNSTest): + max_recursion_depth = 20 + self.assertEquals(len(response.answers), max_recursion_depth) + ++ # Make sure cname limit doesn't count other records. This is a generic ++ # test called in tests below ++ def max_rec_test(self, rtype, rec_gen): ++ name = "limittestrec{0}.{1}".format(rtype, self.get_dns_domain()) ++ limit = 20 ++ num_recs_to_enter = limit + 5 ++ ++ for i in range(1, num_recs_to_enter+1): ++ ip = rec_gen(i) ++ self.make_dns_update(name, ip, rtype) ++ ++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) ++ questions = [] ++ ++ q = self.make_name_question(name, ++ rtype, ++ dns.DNS_QCLASS_IN) ++ questions.append(q) ++ self.finish_name_packet(p, questions) ++ ++ response = self.dns_transaction_udp(p, host=self.server_ip) ++ ++ self.assertEqual(len(response.answers), num_recs_to_enter) ++ ++ def test_record_limit_A(self): ++ def ip4_gen(i): ++ return "127.0.0." + str(i) ++ self.max_rec_test(rtype=dns.DNS_QTYPE_A, rec_gen=ip4_gen) ++ ++ def test_record_limit_AAAA(self): ++ def ip6_gen(i): ++ return "AAAA:0:0:0:0:0:0:" + str(i) ++ self.max_rec_test(rtype=dns.DNS_QTYPE_AAAA, rec_gen=ip6_gen) ++ ++ def test_record_limit_SRV(self): ++ def srv_gen(i): ++ rec = dns.srv_record() ++ rec.priority = 1 ++ rec.weight = 1 ++ rec.port = 92 ++ rec.target = "srvtestrec" + str(i) ++ return rec ++ self.max_rec_test(rtype=dns.DNS_QTYPE_SRV, rec_gen=srv_gen) ++ ++ # Same as test_record_limit_A but with a preceding CNAME follow ++ def test_cname_limit(self): ++ cname1 = "cnamelimittestrec." + self.get_dns_domain() ++ cname2 = "cnamelimittestrec2." + self.get_dns_domain() ++ cname3 = "cnamelimittestrec3." + self.get_dns_domain() ++ ip_prefix = '127.0.0.' ++ limit = 20 ++ num_recs_to_enter = limit + 5 ++ ++ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME) ++ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME) ++ num_arecs_to_enter = num_recs_to_enter - 2 ++ for i in range(1, num_arecs_to_enter+1): ++ ip = ip_prefix + str(i) ++ self.make_dns_update(cname3, ip, dns.DNS_QTYPE_A) ++ ++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) ++ questions = [] ++ ++ q = self.make_name_question(cname1, ++ dns.DNS_QTYPE_A, ++ dns.DNS_QCLASS_IN) ++ questions.append(q) ++ self.finish_name_packet(p, questions) ++ ++ response = self.dns_transaction_udp(p, host=self.server_ip) ++ ++ self.assertEqual(len(response.answers), num_recs_to_enter) ++ ++ # ANY query on cname record shouldn't follow the link ++ def test_cname_any_query(self): ++ cname1 = "cnameanytestrec." + self.get_dns_domain() ++ cname2 = "cnameanytestrec2." + self.get_dns_domain() ++ cname3 = "cnameanytestrec3." + self.get_dns_domain() ++ ++ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME) ++ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME) ++ ++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) ++ questions = [] ++ ++ q = self.make_name_question(cname1, ++ dns.DNS_QTYPE_ALL, ++ dns.DNS_QCLASS_IN) ++ questions.append(q) ++ self.finish_name_packet(p, questions) ++ ++ response = self.dns_transaction_udp(p, host=self.server_ip) ++ ++ self.assertEqual(len(response.answers), 1) ++ self.assertEqual(response.answers[0].name, cname1) ++ self.assertEqual(response.answers[0].rdata, cname2) ++ + + class TestInvalidQueries(DNSTest): + +diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns +index 916afc1af85..a9b16eaac2a 100644 +--- a/selftest/knownfail.d/dns ++++ b/selftest/knownfail.d/dns +@@ -1,5 +1,15 @@ + # +-# rodc and vampire_dc require signed dns updates, so the test setup +-# fails, but the test does run on fl2003dc ++# rodc and vampire_dc require signed dns updates, so these tests' setups ++# fail, but they pass on fl2003dc + ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\) + ^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(rodc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(vampire_dc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(rodc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(vampire_dc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(rodc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(vampire_dc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(vampire_dc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(rodc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(vampire_dc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(rodc:local\) +-- +2.19.2 + diff --git a/debian/patches/fix-rmdir.patch b/debian/patches/fix-rmdir.patch new file mode 100644 index 00000000000..1db437695de --- /dev/null +++ b/debian/patches/fix-rmdir.patch @@ -0,0 +1,47 @@ +From: Anoop C S <anoo...@redhat.com> +Date: Thu, 9 Aug 2018 12:28:41 +0530 +Subject: s3/libsmb: Explicitly set delete_on_close token for rmdir + +The current implementation of `rmdir` hopes to get the directory deleted +on closing last open handle when FILE_DELETE_ON_CLOSE is set on it. But +for non-empty directories Windows doesn't error out during an open call. +Following that we internally refuse to set initial delete_on_close while +opening a non-empty directory. This prevents us from trying to delete +the directory when last open handle is closed. + +Instead of relying on FILE_DELETE_ON_CLOSE during an open we explicitly +set delete_on_close token on directory handle once it is available. This +ensures that NT_STATUS_DIRECTORY_NOT_EMPTY is returned for `rmdir` on +non-empty directories while closing open directory handle. + +Applied-Upstream: https://github.com/samba-team/samba/commit/6b68e3eca631c04d6d57c489daf60f64732fc86d +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13204 +Bug-Debian: https://bugs.debian.org/915248 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1795772 + +diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c +index 237e6bb2b..d4ff8bd28 100644 +--- a/source3/libsmb/cli_smb2_fnum.c ++++ b/source3/libsmb/cli_smb2_fnum.c +@@ -682,13 +682,20 @@ NTSTATUS cli_smb2_rmdir(struct cli_state *cli, const char *dname) + FILE_ATTRIBUTE_DIRECTORY, /* file attributes */ + FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access */ + FILE_OPEN, /* create_disposition */ +- FILE_DIRECTORY_FILE|FILE_DELETE_ON_CLOSE, /* create_options */ ++ FILE_DIRECTORY_FILE, /* create_options */ + &fnum, + NULL); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } ++ ++ status = cli_smb2_delete_on_close(cli, fnum, true); ++ if (!NT_STATUS_IS_OK(status)) { ++ cli_smb2_close_fnum(cli, fnum); ++ return status; ++ } ++ + return cli_smb2_close_fnum(cli, fnum); + } + diff --git a/debian/patches/s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch b/debian/patches/s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch new file mode 100644 index 00000000000..f5aa194d7c5 --- /dev/null +++ b/debian/patches/s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch @@ -0,0 +1,96 @@ +From 1606ab1baf02c8d3797fdc6f347af2c8552996a0 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <me...@samba.org> +Date: Tue, 4 Apr 2017 11:52:56 +0200 +Subject: [PATCH] s3:ntlm_auth: fix memory leak in manage_gensec_request() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736 + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> +(cherry picked from commit e999b798c6484de3cddad988406f97fc4cc7af79) + +Bug-Debian: https://bugs.debian.org/919611 +--- + source3/utils/ntlm_auth.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 84269a139a3..d35e8f050b6 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -1290,6 +1290,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + + TALLOC_CTX *mem_ctx; + ++ mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); ++ + if (*private1) { + state = (struct gensec_ntlm_state *)*private1; + } else { +@@ -1307,6 +1309,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + if (strlen(buf) < 2) { + DEBUG(1, ("query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH Query invalid\n"); ++ talloc_free(mem_ctx); + return; + } + +@@ -1316,9 +1319,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + talloc_free(want_feature_list); + want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3); + x_fprintf(x_stdout, "OK\n"); ++ talloc_free(mem_ctx); + return; + } +- in = base64_decode_data_blob(buf + 3); ++ in = base64_decode_data_blob_talloc(mem_ctx, buf + 3); + } else { + in = data_blob(NULL, 0); + } +@@ -1331,7 +1335,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + } else if ( (strncmp(buf, "OK", 2) == 0)) { + /* Just return BH, like ntlm_auth from Samba 3 does. */ + x_fprintf(x_stdout, "BH Command expected\n"); +- data_blob_free(&in); ++ talloc_free(mem_ctx); + return; + } else if ( (strncmp(buf, "TT ", 3) != 0) && + (strncmp(buf, "KK ", 3) != 0) && +@@ -1343,12 +1347,10 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + (strncmp(buf, "GF", 2) != 0)) { + DEBUG(1, ("SPNEGO request [%s] invalid prefix\n", buf)); + x_fprintf(x_stdout, "BH SPNEGO request invalid prefix\n"); +- data_blob_free(&in); ++ talloc_free(mem_ctx); + return; + } + +- mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); +- + /* setup gensec */ + if (!(state->gensec_state)) { + switch (stdio_helper_mode) { +@@ -1478,7 +1480,6 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + state->set_password, + CRED_SPECIFIED); + x_fprintf(x_stdout, "OK\n"); +- data_blob_free(&in); + talloc_free(mem_ctx); + return; + } +@@ -1510,10 +1511,12 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, + neg_flags = gensec_ntlmssp_neg_flags(state->gensec_state); + if (neg_flags == 0) { + x_fprintf(x_stdout, "BH\n"); ++ talloc_free(mem_ctx); + return; + } + + x_fprintf(x_stdout, "GF 0x%08x\n", neg_flags); ++ talloc_free(mem_ctx); + return; + } + +-- +2.19.2 + diff --git a/debian/patches/series b/debian/patches/series index d83fa0494bb..acf3faae401 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -16,15 +16,10 @@ Add-documentation-to-systemd-Unit-files.patch fix_kill_path_in_units.patch nmbd-requires-a-working-network.patch provision-Update-root-DNS-servers-list.patch -CVE-2017-12150-v4-5.patches.metze02.txt -CVE-2017-12151-v4-5.patches.metze02.txt -CVE-2017-12163-all-metze01.patch.txt -s3-smbd-Chain-code-can-return-uninitialized-memory-w.patch -s3-smbd-Fix-SMB1-use-after-free-crash-bug.-CVE-2017-.patch -CVE-2018-1050-11343-4.5.patch -CVE-2018-1057-v4-5.metze01.patches.txt CVE-2018-10919.patch CVE-2018-10858-4.6.patch CVE-2018-14629-v4-5.patch CVE-2018-16841-master.patch CVE-2018-16851-master.patch +fix-rmdir.patch +s3-ntlm_auth-fix-memory-leak-in-manage_gensec_reques.patch diff --git a/debian/rules b/debian/rules index 61271460f1b..fb4ad066066 100755 --- a/debian/rules +++ b/debian/rules @@ -209,7 +209,7 @@ override_dh_installchangelogs: override_dh_installinit: ifneq (,$(filter samba, $(shell dh_listpackages))) dh_installinit -psamba --name smbd - dh_installinit -psamba --name nmbd + dh_installinit -psamba --name nmbd --error-handler nmbd_error_handler dh_installinit -psamba --name samba-ad-dc dh_installinit -psamba --noscripts dh_installinit -psamba --no-start --name reload-smbd diff --git a/debian/samba.postinst b/debian/samba.postinst index 787d8029986..e798f4fe19e 100644 --- a/debian/samba.postinst +++ b/debian/samba.postinst @@ -6,6 +6,23 @@ set -e +nmbd_error_handler() { + if [ -d /sys/class/net/lo ] && ls /sys/class/net | grep -qv ^lo$; then + # https://bugs.debian.org/893762 + echo 'WARNING: nmbd failed to start as there is no non-loopback interfaces available.' + echo 'Either add an interface or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"' + return 0 + elif command -v ip > /dev/null && ip a show | grep '^[[:space:]]*inet ' | grep -vq ' lo$'; then + # https://bugs.debian.org/859526 + echo 'WARNING: nmbd failed to start as there is no local IPv4 non-loopback interfaces available.' + echo 'Either add an IPv4 address or set "disable netbios = yes" in smb.conf and run "systemctl mask nmbd"' + return 0 + else + echo 'ERROR: nmbd failed to start.' + return 1 # caught by set -e + fi +} + # We generate several files during the postinst, and we don't want # them to be readable only by root. umask 022