Bug#845342: marked as done (samba-common-bin: nmblookup broken over routed connection?)

Tue, 22 Nov 2016 08:51:46 -0800 

Your message dated Tue, 22 Nov 2016 16:46:45 +0000
with message-id <[email protected]>
and subject line Re: [Pkg-samba-maint] Bug#845342: samba-common-bin: nmblookup 
broken over routed connection?
has caused the Debian Bug report #845342,
regarding samba-common-bin: nmblookup broken over routed connection?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
845342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845342
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: samba-common-bin
Version: 2:4.2.10+dfsg-0+deb8u3
Severity: important
Tags: upstream

Today we had the (very!) rare chance to restart all our windows 2012 domain
controllers and to apply all outstanding windows updates of the past few
monthes.

Since then nmblookup is no longer able to lookup names or ip addresses when the
target is accessible over a routed connection only. It works well, when the
target is in the same subnet. We use nmblookup on a daily base, and until
yesterday it worked. So I guess, that one of the windows updates is responsible
for this new behaviour (maybe CVE-2016-3236).

Looking up the domain controllers Port 137 UDP (which is used by nmblookup)
with nmap on a routed connection shows the port as closed. Looking up the same
port on a direct connection shows it as open. This behaviour seems not to be
linked to the windows firewall.

I may be hunting a ghost, but if not, it might be a good idea, to consider
nmblookup dead and either mark it as deprecated or better remove it from the
package. There are other ways, to find domain controllers and their addresses.

Unfortunately I have no idea, which other packages might depend on nmblookup.
In my case it was basic_smb_auth.sh in package squid3, which no longer works
(so I replaced the lookups with static entries).



-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (700, 'stable'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba-common-bin depends on:
ii  libbsd0        0.7.0-2
ii  libc6          2.19-18+deb8u6
ii  libldap-2.4-2  2.4.40+dfsg-1+deb8u2
ii  libncurses5    5.9+20140913-1+b1
ii  libpopt0       1.16-10
ii  libreadline6   6.3-8+b3
ii  libtalloc2     2.1.2-0+deb8u1
ii  libtdb1        1.3.6-0+deb8u1
ii  libtevent0     0.9.25-0+deb8u1
ii  libtinfo5      5.9+20140913-1+b1
ii  libwbclient0   2:4.2.10+dfsg-0+deb8u3
ii  python         2.7.9-1
ii  python-samba   2:4.2.10+dfsg-0+deb8u3
pn  python2.7:any  <none>
ii  samba-common   2:4.2.10+dfsg-0+deb8u3
ii  samba-libs     2:4.2.10+dfsg-0+deb8u3

samba-common-bin recommends no packages.

Versions of packages samba-common-bin suggests:
pn  heimdal-clients  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
On Tue, Nov 22, 2016 at 05:17:09PM +0100, herrmann wrote:
> Package: samba-common-bin
> Version: 2:4.2.10+dfsg-0+deb8u3
> Severity: important
> Tags: upstream
> 
> Today we had the (very!) rare chance to restart all our windows 2012 domain
> controllers and to apply all outstanding windows updates of the past few
> monthes.
> 
> Since then nmblookup is no longer able to lookup names or ip addresses when 
> the
> target is accessible over a routed connection only. It works well, when the
> target is in the same subnet. We use nmblookup on a daily base, and until
> yesterday it worked. So I guess, that one of the windows updates is 
> responsible
> for this new behaviour (maybe CVE-2016-3236).
> 
> Looking up the domain controllers Port 137 UDP (which is used by nmblookup)
> with nmap on a routed connection shows the port as closed. Looking up the same
> port on a direct connection shows it as open. This behaviour seems not to be
> linked to the windows firewall.
> 
> I may be hunting a ghost, but if not, it might be a good idea, to consider
> nmblookup dead and either mark it as deprecated or better remove it from the
> package. There are other ways, to find domain controllers and their addresses.
> 
> Unfortunately I have no idea, which other packages might depend on nmblookup.
> In my case it was basic_smb_auth.sh in package squid3, which no longer works
> (so I replaced the lookups with static entries).

This is not a bug on the Samba side.

nmblookup is a tool that can look up NetBIOS names, which it can still do.
Other versions of Windows and Samba itself still do support NetBIOS.

--- End Message ---

Reply via email to