Bug#993014: [Pkg-samba-maint] Processed: Re: cifs-utils non-parallel FTBFS
> I think both are wrong but both do the job. Yes, I think also, but that’s not something I can do. This "fix" works fine so far, but yeah, upstream should fix it. > Now, the question is: do we need to fix this for bullseye? > It smells like there's no need to, no? No, not that I think off, current bullseye version builds as far I know, but I hardly do cifs-utils packages. its only that I needed it now on 1 server. The shown fix, commit aeaa786aceb0ea781ded2c151fb68f6b34880ad4 is the patch I added. and cifs-utils 7.0 also fails to build without that patch with parallel=1 And yes, we can leave Bullseye versions alone, but would be nice to add this one to unstable. At least the patch fixed this bug report Greetz, Louis > -Oorspronkelijk bericht- > Van: Pkg-samba-maint lists.debian.net> Namens Debian Bug Tracking System > Verzonden: donderdag 25 augustus 2022 10:15 > Aan: Michael Tokarev > CC: pkg-samba-ma...@lists.alioth.debian.org > Onderwerp: [Pkg-samba-maint] Processed: Re: cifs-utils non-parallel FTBFS > > Processing control commands: > > > tag -1 + pending > Bug #993014 [src:cifs-utils] cifs-utils non-parallel FTBFS Added tag(s) > pending. > > -- > 993014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993014 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > ___ > Pkg-samba-maint mailing list > pkg-samba-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-samba-maint
Bug#993014: cifs-utils non-parallel FTBFS
I can confirm the patch works. I've tested on a Debian Bullseye build with cifs-utils 7.0 from https://ftp.samba.org/pub/linux-cifs/cifs-utils/ I refreshed patch 001. Added the patch shown buy Helmut. And I builded against Debian Bullseye with parallel=7 and parallel=1 Only I can't upload the sources to salsa.. Sorry. @Michael Tokarev can you add this one? I can put the build and logs online if you want. Greetz, Louis
Bug#1009998: [Pkg-samba-maint] Processed: Re: Bug#1009998: gvfs-backends: Unable to access smb://host/sharing on any file manager after upgrade
Micheal, For the above link/bug reports, which points to : https://gitlab.com/samba-team/samba/-/commit/34771e1931587807d0395c7ac7f4be1 8654997f4 This fix is already included in 4.16.2. I've just verified the source of 4.16.2 Greetz, Louis > -Oorspronkelijk bericht- > Van: Pkg-samba-maint lists.debian.net> Namens Debian Bug Tracking System > Verzonden: woensdag 15 juni 2022 12:27 > Aan: Michael Tokarev > CC: pkg-samba-ma...@lists.alioth.debian.org > Onderwerp: [Pkg-samba-maint] Processed: Re: Bug#1009998: gvfs-backends: > Unable to access smb://host/sharing on any file manager after upgrade > > Processing control commands: > > > tag -1 + moreinfo > Bug #1009998 [src:samba] gvfs-backends: Unable to access > smb://host/sharing on any file manager after upgrade Added tag(s) > moreinfo. > > -- > 1009998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009998 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > ___ > Pkg-samba-maint mailing list > pkg-samba-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-samba-maint
Bug#947245: [Pkg-samba-maint] Bug#947245: more infos
Not a bug, try wbinfo --getdcname=internal.domain.tld Then it queries the hostname within the AD domain. And not the NETBIOS domain name. Wbinfo --help show it really.. --getdcname=domainname Get a DC name for a foreign domain I agree, the use of words here could be better. Greetz, Louis > -Oorspronkelijk bericht- > Van: Pkg-samba-maint > [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d > ebian.net] Namens Piviul > Verzonden: woensdag 8 januari 2020 10:17 > Aan: 947...@bugs.debian.org > Onderwerp: [Pkg-samba-maint] Bug#947245: more infos > > Hi, I add some more infos to the bug hoping will be useful to > shoot the > problem. Using wbinfo command line program in a pc joined to > the domain > and dist-upgraded to bullseye I can see that some parameters return > correctly, other doesn't. For example --domain-info option or > --dsgetdcname shows the correct return value but --getdcname doesn't: > > $ wbinfo --getdcname DOMINIOCSA > Could not get dc name for DOMINIOCSA > > But winbind service seems to be started correctly: > > $ systemctl status winbind.service > ??? winbind.service - Samba Winbind Daemon > Loaded: loaded (/lib/systemd/system/winbind.service; enabled; > vendor prese> > Active: active (running) since Wed 2020-01-08 08:41:40 > CET; 20min ago > Docs: man:winbindd(8) > man:samba(7) > man:smb.conf(5) > Main PID: 494 (winbindd) > Status: "winbindd: ready to serve connections..." > Tasks: 5 (limit: 1144) > Memory: 16.3M > CGroup: /system.slice/winbind.service > ??494 /usr/sbin/winbindd --foreground > --no-process-group > ??510 winbindd: domain child [DEBIAN64BIT] > ??511 winbindd: idmap child > ??512 winbindd: domain child [BUILTIN] > ??553 /usr/sbin/winbindd --foreground > --no-process-group > > I'm a little bit confused... > > Have a great year > > Piviul > > ___ > Pkg-samba-maint mailing list > pkg-samba-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s > amba-maint >
Bug#940963: [Pkg-samba-maint] Bug#940963: Bug#940963: samba doesn't start anymore
Hai, If people want a temporary fix for this one. Add my repo for 4.10 (builded for buster) wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add - echo "deb http://apt.van-belle.nl/debian buster-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list Or pull the needed packages from there and rebuild them yourself. These are backports of debian official or made with the same settings. A quick peek in : https://apt.van-belle.nl/current-packages-in-buster-samba410-apt.txt Shows buster-samba410|main|amd64: python-talloc 2.1.16-0nmu1~deb10 And the change log its changes: http://downloads.van-belle.nl/samba4/Buildlogs/buster/talloc_2.1.16-0nmu1~de b10_amd64.changes Changes: talloc (2.1.16-0nmu1~deb10) buster; urgency=medium . * Non-maintainer upload. * Rebuild for Debian Buster (10) * d/control bump python3-dev depends to (>=3.7) * d/python-talloc.* changed python 35 to 37. So easy to pickup if you want/need them. Best regards, Louis > -Oorspronkelijk bericht- > Van: Pkg-samba-maint > [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d ebian.net] Namens Mathieu Parent > Verzonden: maandag 23 september 2019 14:54 > Aan: Elimar Riesebieter > CC: 940...@bugs.debian.org > Onderwerp: [Pkg-samba-maint] Bug#940963: Bug#940963: samba > doesn't start anymore > > Le dim. 22 sept. 2019 à 19:27, Elimar Riesebieter > a écrit : > > > > Control: severity -1 grave > > Control: reassign -1 samba-common-bin > > > > * Elimar Riesebieter [2019-09-22 13:00 +0200]: > > > > > Package: samba > > > Version: 2:4.10.8+dfsg-1 > > > Severity: normal > > > > > > > > > This server runs sysvinit! > > > > > > [2019/09/22 12:44:28.672896, 0] > ../../source3/smbd/server.c:1850(main) > > > server role = 'active directory domain controller' not > compatible with running smbd standalone. > > > You should start 'samba' instead, and it will control > starting smbd if required > > > [2019/09/22 12:44:30.809747, 0] > ../../source3/nmbd/nmbd.c:921(main) > > > server role = 'active directory domain controller' not > compatible with running nmbd standalone. > > > You should start 'samba' instead, and it will control > starting the internal nbt server > > > > /etc/init.d/samba-ad-dc calls > > 'samba-tool testparm --parameter-name="server role"' which fails > > with: > > > > Traceback (most recent call last): > > File "/bin/samba-tool", line 33, in > > from samba.netcmd.main import cmd_sambatool > > File "/usr/lib/python3/dist-packages/samba/__init__.py", > line 29, in > > import samba.param > > ImportError: > /lib/x86_64-linux-gnu/libpytalloc-util.cpython-37m-x86-64-linu > x-gnu.so.2: version `PYTALLOC_UTIL.PY3_2.1.6' not found > (required by > /usr/lib/python3/dist-packages/samba/param.cpython-37m-x86_64- > linux-gnu.so) > > Yes, talloc from samba 4.11 was uploaded, this usually doesn't > introduce pain. But this time (they dropped python2 support) it was. > > Maybe a samba rebuild would help. I hope that ldb will pass > NEW fast... > > Regards > > -- > Mathieu Paretn > > ___ > Pkg-samba-maint mailing list > pkg-samba-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s amba-maint >
Bug#931688: smbclient: Unable to initialize messaging context
Hai, Can you install `libsmbclient` first and try again. And can you share you smb.conf ( anonimize where needed ) It looks like your using old settings: WARNING: The "syslog" option is deprecated Regards, Louis
Bug#939542: [Pkg-samba-maint] Bug#939542: denial of service and possible other security implications by giving wrong kerberos ticket cache file to other users.
Hai, I suggest you upgrade to debian buster and try it again on 4.9.5 at least. Note, if needed you can test this also with my packages if you dont want to upgrade to buster. I these packages build for the samba list users, these are "almost" the same. My output off en ssh login (SSO) and the generated keytab. As you can see here. -rw--- 1 username domain users 1808 Sep 6 09:16 krb5cc_90001_A083ivUNwk The keytab is set to only the user can read it, and its filename is randomized. As far im concerned this is adressed, but maybe just not in stretch. Best regards, Louis > -Oorspronkelijk bericht- > Van: Pkg-samba-maint > [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d > ebian.net] Namens Erik Thiele > Verzonden: vrijdag 6 september 2019 9:14 > Aan: sub...@bugs.debian.org > Onderwerp: [Pkg-samba-maint] Bug#939542: denial of service > and possible other security implications by giving wrong > kerberos ticket cache file to other users. > > Package: libpam-winbind > Version: 2:4.5.16+dfsg-1+deb9u2 > Severity: important > > I am using a samba 4 as active directory domain controller in a basic > configuration as defined in the official samba 4 wiki. I added two > users: > > root@seclag:/etc# id aduser > uid=30106(aduser) gid=30099(domain users) Gruppen=30099(domain > users),70002(BUILTIN\users) > > root@seclag:/etc# id user2 > uid=30100(user2) gid=30099(domain users) Gruppen=30099(domain > users),70002(BUILTIN\users) > > the only computer added to the active directory is the linux machine > "seclag". It uses a basic libpam-winbind based configuration without > any changes to the default pam stack configuration. using > libpam-winbind is suggested by the official samba4 wiki. > > in /etc/pam.d/common-auth we find: > auth[success=1 default=ignore] pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_pass > > this pam line is responsible for creating the file > /tmp/krb5cc_30100 if > the user "user2" with uid 30100 is logging in on the console. this can > be shown by replacing krb5_ccache_type=FILE above with > krb5_ccache_type=FILE:/tmp/mydebug_%u because if you do so, the system > is creating /tmp/mydebug_30100 instead. > > see: > > user2@seclag:~$ klist > Ticket cache: FILE:/tmp/mydebug_30100 <-- here! > Default principal: us...@xx.mydomain.de > > let's revert back to using the normal /tmp/krb5cc_* system as is > configured by default. the example above was just to show that > pam_winbind is responsible for creating the problematic > situation shown > in the following: > > let's login as user "adtest" with uid 30106: > > aduser@seclag:~$ klist > Ticket cache: FILE:/tmp/krb5cc_30106 > Default principal: adu...@xx.mydomain.de > > see, the default principal is just fine. we have the right > kerberos key > installed. now let's create a fake ticket cache for user2: > > aduser@seclag:~$ export =/tmp/krb5cc_30100 > # 30100 is the uid of user "user2" > > aduser@seclag:~$ kinit aduser > Password for adu...@xx.mydomain.de: > aduser@seclag:~$ klist > Ticket cache: FILE:/tmp/krb5cc_30100 > Default principal: adu...@xx.mydomain.de > > ok we now created a new ticket cache with our key inside. all right. > now logout and login as user "user2": > > user2@seclag:~$ klist > klist: Credentials cache permissions incorrect > (filename: /tmp/krb5cc_30100) > > ok so user "aduser" created a denial of service situation for user > "user2"! let's see if we can do more bad things. log in as user > "aduser" again: > > aduser@seclag:~$ chmod 666 /tmp/krb5cc_30100 > > now try again as user "user2": > > user2@seclag:~$ klist > Ticket cache: FILE:/tmp/krb5cc_30100 > Default principal: adu...@xx.mydomain.de > > see? user "user2" now has the kerberos key of user "aduser" > installed. The system is silently taking the keys someone else has > installed! > > I am not quite sure how to fix this correctly, but: > > pam_winbind certainly must not simply take an existing file which is > owned by an other user! it must instead remove that file and create it > correctly (but take care of race conditions!). the other alternative > would be to just fail, but then a user can deny service of other users > simply by creating /tmp/krb5cc_UID_OF_OTHER_USER. so the correct > solution is to remove that file and create it correctly. thereby > correctly taking care of possible symlink attacks and other bad stuff. > removing the file may be complicated if another user created a > directory with that name. > > I am unsure what kind of bad things can be done due to this > bug. but on > our site every user can do a denial of service against all > other system > users (which have not logged on since cleaning of /tmp) with this > command: > > for a in $(seq 3 30200); do touch /tmp/krb5cc_$a; done > > denial of service is only relevant to kerberos. thus if a user does a > kerberized cifs mount then it will not work. the other parts of
Bug#929268: [Pkg-samba-maint] Bug#929268: More Info
Hai, Ok, well if thats the case, then the patch found by mattieu) is the correct one. Yes, you can disable NT1 and yes, that might block legit access also. That depends on your setup, where do you use what? I dont know that. So you could wait for that or try the these settings. min protocol = NT1 max protocol = SMB2 I do advice firewall the ports also, at least until the debian patch for 4.5 is in. Best regards, Louis > -Oorspronkelijk bericht- > Van: Pkg-samba-maint > [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d > ebian.net] Namens rollop...@gmail.com > Verzonden: woensdag 22 mei 2019 8:35 > Aan: 929...@bugs.debian.org > Onderwerp: [Pkg-samba-maint] Bug#929268: More Info > > For now, the problem has only occurred with servers that have > SMB ports > accessible from the outside. > I imagine that someone (suspicious) tries to access using NT1, can I > block access using the "min protocol" option or this could block > authorized accesses as well? > > Thanks > > ___ > Pkg-samba-maint mailing list > pkg-samba-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s > amba-maint >
Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp
Hai Vincent, Yes, that is correct. /var/lib/samba/ntp_signd/socket rw, Is sufficient. Greetz, Louis > -Oorspronkelijk bericht- > Van: Vincent Blut [mailto:vincent.deb...@free.fr] > Verzonden: dinsdag 14 mei 2019 15:54 > Aan: Louis van Belle; 928...@bugs.debian.org > CC: Debian Bug Tracking System > Onderwerp: Re: Bug#928170: chrony: Apparmor profile contains > wrong path for samba sntp > > Hi Louis, > > So According to the information gleaned in #928168¹, adding a rule to > allow read access to winbindd pipe doesn’t seem necessary‽ > As far as I can see from my local tests, only read/write access to > /var/lib/samba/ntp_signd/socket is needed. Could you please confirm? > > If so, chronyd’s Apparmor profile should just include (for samba ofc): > /var/lib/samba/ntp_signd/socket rw, > > Cheers, > Vincent > > > ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928168 >
Bug#928168: ntp: Wrong path in apparmor profile for samba
Hai, Thank you all for the replies. As said, I dont use apparmor so yes, most below were assumptions, Thats why i've ask for verification, we (I) cant know everything. What i did was, i looked at Ubuntu's setting and Debian setting and added both, so people on the samba list where helped and got there samba running. And as you guys showed, the used setting thats overkill, so that is the part i wanted to get fixed. Im running and testing on stretch, but not apparmor is installed on any of my systemd and that also not going to happen. What i can say/confirm, (Debiqan 9). rgrep samba /etc/apparmor.d/ /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /etc/apparmor.d/usr.sbin.ntpd: /{,var/}run/samba/ntp_signd/socket rw, Now, Bernard showed also that the current setting is'nt correct/not working as it should. Because the current path is wrong. So if i understand the apparmor setting, all we need is : So this is currently in Debian 9: (wrong path) # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, And base on your info shown, i can say we only need : # samba4 ntp signing socket /var/lib/samba/ntp_signd/{,*} rw, Or # samba4 ntp signing socket /var/lib/samba/ntp_signd/ r, /var/lib/samba/ntp_signd/socket rw, Or # samba4 ntp signing socket /var/lib/samba/ntp_signd/socket rw, If the last gets passthrough the folder via the RW on the socket, Then the last is the preffered. Lets say, the preffered one is offcourse the most secure one. Last thing i noticed. ( Thanks Bernard for this ) sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = 0 How does apparmor, handle the // as shown. Is that ignored or seen as / Because if thats not handles by apparmor, i'll notify the samba devs. Yes, thats me too, but im not a coder. All other parts can be removed. ( The winbind parts ) These are not used as its shown. > BTW: Do you use the samba profiles from upstream AppArmor? > - If so, please contribute your additions upstream at > https://gitlab.com/apparmor/apparmor/ > - If not - why? ;-) I dont use it at all, and it even isnt installed in my setup. I setup with expert, only choose ssh-server at tasksel. So a nice and very clean server, what i preffer. Best regards, Louis
Bug#928168: ntp: Wrong path in apparmor profile for samba
Hai, We got reports on the samba list of this. See: https://www.spinics.net/lists/samba/msg156739.html And i verified the user his problem and also noticed the wrong path also, and reported it as fix with the change. You said you did follow the wiki, which part? Is windows in you test case syncing time over AD? Or ntp protocol? Do note, tested on a Ubuntu 18.04 and i verified the paths also on debian 9. These tests are done agains Samba 4.10.2 ubuntu/debian packages from my repo. The PC's get the time always from ad, so that that works is correct, but if the time offsets and it needs to correct it, then you should see the deny message of apparmor. I personaly dont use apparmor, just dont like it, is anoying.. Now you might think, ow ubuntu thats not Debian, well, I use debian as base for all my packaging and testing. Best regards, Louis > -Oorspronkelijk bericht- > Van: Bernhard Schmidt [mailto:be...@debian.org] > Verzonden: dinsdag 30 april 2019 10:05 > Aan: Louis van Belle; 928...@bugs.debian.org > Onderwerp: Re: Bug#928168: ntp: Wrong path in apparmor > profile for samba > > Control: tags -1 + moreinfo > > Am 29.04.19 um 11:18 schrieb Louis van Belle: > > Hi, > > > Hello, after a few messages on the samba list we discovered > a wrong path in the apparmor profiles of ntp. > > > > File : /etc/apparmor.d/usr.sbin.ntpd > > Wrong: > > # samba4 ntp signing socket > > /{,var/}run/samba/ntp_signd/socket rw, > > > > Correct: > > # To sign replies to MS-SNTP clients by the smbd daemon > in /var/lib/samba > > /var/lib/samba/ntp_signd r, > > /var/lib/samba/ntp_signd/{,*} rw, > > > > # samba4 winbindd pipe > > /{,var/}run/samba/winbindd r, > > /{,var/}run/samba/winbindd/pipe r, > > > > # samba4 winbindd_privileged pipe ? Needed, not sure here. > > /var/lib/samba/winbindd_privileged r, > > /var/lib/samba/winbindd/pipe r, > > > > please verify the last one, im not a coder, sorry. > > Now, above changes are important to have before the buster release, > > because it could stop the timesync of domain joined pc's. > > Thanks for the report. > > Could you give us some more details about that testcase? I > can see that > the path in the AppArmor profile is wrong, but still I followed > https://wiki.samba.org/index.php/Time_Synchronisation on my personal > Samba AD DC. There is only one Win7 PC joined to it. I could see it > syncing with NTP to the DC. The NTP response had some keying stuff in > it. And I did not see an error on the client in the event > log. All that > with an unadjusted AppArmor profile, which means it should > have logged a > DENY on the ntp_signd socket. > > Bernhard >
Bug#926474: smbclient: Can browse samba shares as root but not as user
Hai, Based on what i see here : 1) running Dolphin as user, opening /Network/Shared Folders (SMB) I get an empty window For this I suggest first try this setting on the debian server in smb.conf client max protocol = NT1 if that works also try, keep the highest that works. client max protocol = SMB2 2) addressing Dolphin to open smb://casa(=workgroup) I get the error warning Report this also @Dolhin/KDE the network browser part is probley still at SMB1, while samba 4.9.5 defaults to SMB3 see: https://phabricator.kde.org/D18878 3) but if I address Dolphin to directly go to smb://(remote host) or smb://(user)@(remote host) then - after being requested and giving the password - I CAN ACCESS the remote shares, and, as far as I could see, I can fully operate r/w as allowed in smb.conf. Greetz, Louis
Bug#742182: samba-tool gpo aclcheck always fails with uncaught exception error
Please reopen, not fixed in 4.8.9 and 4.9.4. Best regards, Louis
Bug#918432: [Pkg-samba-maint] Bug#918432: samba: net ads join to armel arch Samba DC failed
Hai, Can the TS post the configs of both server also. please show /etc/hosts /etc/resolv.conf /etc/krb5.conf /etc/samba/smb.conf Greetz, Louis