** Description changed: [Impact] - * An explanation of the effects of the bug on users and + Samba in AD mode refuses to start when the smb.conf file contains an + include line with a variable substitution like "include = + /etc/samba/smb.conf.%U" - * justification for backporting the fix to the stable release. + This happens because the initscript calls "samba-tool testparm" to + obtain a configuration parameter from smb.conf, and this testparm tool + fails because it doesn't expand the %U macro and fails to read + "/etc/samba/smb.conf." (note the ending dot). - * In addition, it is helpful, but not required, to include an - explanation of how the upload fixes this bug. + Note that "samba-tool testparm" is different from just "testparm". The + latter doesn't fail. We could just replace one with the other in the + initscript, but later on in the process of provisioning an AD controller + this error is encountered again, so it's best to fix it properly. [Test Case] - * detailed instructions how to reproduce the bug + * install samba: + sudo apt install samba - * these should allow someone who is not familiar with the affected - package to reproduce the bug and verify that the updated package fixes - the problem. + * create /etc/samba/smb.conf with this content: + [global] + netbios name = samba + log file = /var/log/samba/log.%m + map to guest = Bad User + max log size = 1000 + obey pam restrictions = Yes + pam password change = Yes + panic action = /usr/share/samba/panic-action %d + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + passwd program = /usr/bin/passwd %u + server string = %h server (Samba, Ubuntu) + unix password sync = Yes + usershare allow guests = Yes + idmap config * : backend = tdb + include = /etc/samba/smb.conf.%U + + * run the command that fails: + ubuntu@trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt + ERROR: Unable to load default file + ubuntu@trusty-samba-include:~$ echo $? + 255 + + * install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file. + ubuntu@trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt + # Global parameters + [global] + netbios name = SAMBA + server string = %h server (Samba, Ubuntu) + map to guest = Bad User + obey pam restrictions = Yes + pam password change = Yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + unix password sync = Yes + log file = /var/log/samba/log.%m + max log size = 1000 + usershare allow guests = Yes + panic action = /usr/share/samba/panic-action %d + idmap config * : backend = tdb + include = /etc/samba/smb.conf.%U + ubuntu@trusty-samba-include:~$ echo $? + 0 + [Regression Potential] - * discussion of how regressions are most likely to manifest as a result + * discussion of how regressions are most likely to manifest as a result of this change. - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the + event of a regression. - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance - + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance [Original Description] Samba refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" According to the man page for smb.conf, all but a few specific variable substitutions should work. include (G) This allows you to include one config file inside another. The file is included literally, as though typed in place. It takes the standard substitutions, except %u, %P and %S. The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that this option automatically activates registry shares. Default: include = Example: include = /usr/local/samba/lib/admin_smb.conf It is probably related to this bug in samba: https://bugzilla.samba.org/show_bug.cgi?id=10722 Description: Ubuntu 16.04 LTS Release: 16.04 samba: Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Version table: *** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500 500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 2:4.3.8+dfsg-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
** Description changed: [Impact] Samba in AD mode refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" This happens because the initscript calls "samba-tool testparm" to obtain a configuration parameter from smb.conf, and this testparm tool fails because it doesn't expand the %U macro and fails to read "/etc/samba/smb.conf." (note the ending dot). Note that "samba-tool testparm" is different from just "testparm". The latter doesn't fail. We could just replace one with the other in the initscript, but later on in the process of provisioning an AD controller this error is encountered again, so it's best to fix it properly. + The patch is straight from an upstream commit, and that code is in place + in the samba packages from bionic and cosmic already. + [Test Case] * install samba: sudo apt install samba * create /etc/samba/smb.conf with this content: [global] - netbios name = samba - log file = /var/log/samba/log.%m - map to guest = Bad User - max log size = 1000 - obey pam restrictions = Yes - pam password change = Yes - panic action = /usr/share/samba/panic-action %d - passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . - passwd program = /usr/bin/passwd %u - server string = %h server (Samba, Ubuntu) - unix password sync = Yes - usershare allow guests = Yes - idmap config * : backend = tdb - include = /etc/samba/smb.conf.%U + netbios name = samba + log file = /var/log/samba/log.%m + map to guest = Bad User + max log size = 1000 + obey pam restrictions = Yes + pam password change = Yes + panic action = /usr/share/samba/panic-action %d + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + passwd program = /usr/bin/passwd %u + server string = %h server (Samba, Ubuntu) + unix password sync = Yes + usershare allow guests = Yes + idmap config * : backend = tdb + include = /etc/samba/smb.conf.%U * run the command that fails: ubuntu@trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt ERROR: Unable to load default file ubuntu@trusty-samba-include:~$ echo $? 255 * install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file. ubuntu@trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt # Global parameters [global] - netbios name = SAMBA - server string = %h server (Samba, Ubuntu) - map to guest = Bad User - obey pam restrictions = Yes - pam password change = Yes - passwd program = /usr/bin/passwd %u - passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . - unix password sync = Yes - log file = /var/log/samba/log.%m - max log size = 1000 - usershare allow guests = Yes - panic action = /usr/share/samba/panic-action %d - idmap config * : backend = tdb - include = /etc/samba/smb.conf.%U + netbios name = SAMBA + server string = %h server (Samba, Ubuntu) + map to guest = Bad User + obey pam restrictions = Yes + pam password change = Yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + unix password sync = Yes + log file = /var/log/samba/log.%m + max log size = 1000 + usershare allow guests = Yes + panic action = /usr/share/samba/panic-action %d + idmap config * : backend = tdb + include = /etc/samba/smb.conf.%U ubuntu@trusty-samba-include:~$ echo $? 0 - [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] Samba refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" According to the man page for smb.conf, all but a few specific variable substitutions should work. include (G) This allows you to include one config file inside another. The file is included literally, as though typed in place. It takes the standard substitutions, except %u, %P and %S. The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that this option automatically activates registry shares. Default: include = Example: include = /usr/local/samba/lib/admin_smb.conf It is probably related to this bug in samba: https://bugzilla.samba.org/show_bug.cgi?id=10722 Description: Ubuntu 16.04 LTS Release: 16.04 samba: Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Version table: *** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500 500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 2:4.3.8+dfsg-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages ** Description changed: [Impact] Samba in AD mode refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" This happens because the initscript calls "samba-tool testparm" to obtain a configuration parameter from smb.conf, and this testparm tool - fails because it doesn't expand the %U macro and fails to read - "/etc/samba/smb.conf." (note the ending dot). + fails because it doesn't expand the %U macro and fails to read the + literal filename. Note that "samba-tool testparm" is different from just "testparm". The latter doesn't fail. We could just replace one with the other in the initscript, but later on in the process of provisioning an AD controller this error is encountered again, so it's best to fix it properly. The patch is straight from an upstream commit, and that code is in place in the samba packages from bionic and cosmic already. [Test Case] * install samba: sudo apt install samba * create /etc/samba/smb.conf with this content: [global] netbios name = samba log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u server string = %h server (Samba, Ubuntu) unix password sync = Yes usershare allow guests = Yes idmap config * : backend = tdb include = /etc/samba/smb.conf.%U * run the command that fails: - ubuntu@trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt + ubuntu@trusty-samba-include:~$ sudo samba-tool testparm -d 2 + lpcfg_load: refreshing parameters from /etc/samba/smb.conf + Can't find include file /etc/samba/smb.conf.%U ERROR: Unable to load default file ubuntu@trusty-samba-include:~$ echo $? 255 + Note the debug level 2 message saying the include file couldn't be + found. + * install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file. - ubuntu@trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt + ubuntu@trusty-samba-include:~$ sudo samba-tool testparm -d 2 --suppress-prompt + lpcfg_load: refreshing parameters from /etc/samba/smb.conf + Tried to load /etc/samba/smb.conf.%U but variable substitution in filename, ignoring file. # Global parameters [global] - netbios name = SAMBA - server string = %h server (Samba, Ubuntu) - map to guest = Bad User - obey pam restrictions = Yes - pam password change = Yes - passwd program = /usr/bin/passwd %u - passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . - unix password sync = Yes - log file = /var/log/samba/log.%m - max log size = 1000 - usershare allow guests = Yes - panic action = /usr/share/samba/panic-action %d - idmap config * : backend = tdb - include = /etc/samba/smb.conf.%U + netbios name = SAMBA + server string = %h server (Samba, Ubuntu) + map to guest = Bad User + obey pam restrictions = Yes + pam password change = Yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + unix password sync = Yes + log level = 2 + log file = /var/log/samba/log.%m + max log size = 1000 + usershare allow guests = Yes + panic action = /usr/share/samba/panic-action %d + idmap config * : backend = tdb + include = /etc/samba/smb.conf.%U ubuntu@trusty-samba-include:~$ echo $? 0 + We can also see the new debugging message saying that the include file + was ignored because of the variable substitution. + + [Regression Potential] - - * discussion of how regressions are most likely to manifest as a result - of this change. - - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. - - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + If you happen to include a filename that has an actual "%" in its name, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] Samba refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" According to the man page for smb.conf, all but a few specific variable substitutions should work. include (G) This allows you to include one config file inside another. The file is included literally, as though typed in place. It takes the standard substitutions, except %u, %P and %S. The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that this option automatically activates registry shares. Default: include = Example: include = /usr/local/samba/lib/admin_smb.conf It is probably related to this bug in samba: https://bugzilla.samba.org/show_bug.cgi?id=10722 Description: Ubuntu 16.04 LTS Release: 16.04 samba: Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Version table: *** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500 500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 2:4.3.8+dfsg-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages ** Description changed: [Impact] Samba in AD mode refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" This happens because the initscript calls "samba-tool testparm" to obtain a configuration parameter from smb.conf, and this testparm tool fails because it doesn't expand the %U macro and fails to read the literal filename. Note that "samba-tool testparm" is different from just "testparm". The latter doesn't fail. We could just replace one with the other in the initscript, but later on in the process of provisioning an AD controller this error is encountered again, so it's best to fix it properly. The patch is straight from an upstream commit, and that code is in place in the samba packages from bionic and cosmic already. [Test Case] * install samba: sudo apt install samba * create /etc/samba/smb.conf with this content: [global] netbios name = samba log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u server string = %h server (Samba, Ubuntu) unix password sync = Yes usershare allow guests = Yes idmap config * : backend = tdb include = /etc/samba/smb.conf.%U * run the command that fails: ubuntu@trusty-samba-include:~$ sudo samba-tool testparm -d 2 lpcfg_load: refreshing parameters from /etc/samba/smb.conf Can't find include file /etc/samba/smb.conf.%U ERROR: Unable to load default file ubuntu@trusty-samba-include:~$ echo $? 255 Note the debug level 2 message saying the include file couldn't be found. * install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file. ubuntu@trusty-samba-include:~$ sudo samba-tool testparm -d 2 --suppress-prompt lpcfg_load: refreshing parameters from /etc/samba/smb.conf Tried to load /etc/samba/smb.conf.%U but variable substitution in filename, ignoring file. # Global parameters [global] - netbios name = SAMBA - server string = %h server (Samba, Ubuntu) - map to guest = Bad User - obey pam restrictions = Yes - pam password change = Yes - passwd program = /usr/bin/passwd %u - passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . - unix password sync = Yes - log level = 2 - log file = /var/log/samba/log.%m - max log size = 1000 - usershare allow guests = Yes - panic action = /usr/share/samba/panic-action %d - idmap config * : backend = tdb - include = /etc/samba/smb.conf.%U + netbios name = SAMBA + server string = %h server (Samba, Ubuntu) + map to guest = Bad User + obey pam restrictions = Yes + pam password change = Yes + passwd program = /usr/bin/passwd %u + passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . + unix password sync = Yes + log level = 2 + log file = /var/log/samba/log.%m + max log size = 1000 + usershare allow guests = Yes + panic action = /usr/share/samba/panic-action %d + idmap config * : backend = tdb + include = /etc/samba/smb.conf.%U ubuntu@trusty-samba-include:~$ echo $? 0 We can also see the new debugging message saying that the include file was ignored because of the variable substitution. - [Regression Potential] - If you happen to include a filename that has an actual "%" in its name, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though. + If you happen to include a filename that has an actual "%" in its name, not followed by a letter, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] Samba refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" According to the man page for smb.conf, all but a few specific variable substitutions should work. include (G) This allows you to include one config file inside another. The file is included literally, as though typed in place. It takes the standard substitutions, except %u, %P and %S. The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that this option automatically activates registry shares. Default: include = Example: include = /usr/local/samba/lib/admin_smb.conf It is probably related to this bug in samba: https://bugzilla.samba.org/show_bug.cgi?id=10722 Description: Ubuntu 16.04 LTS Release: 16.04 samba: Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Version table: *** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500 500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 2:4.3.8+dfsg-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1583324 Title: Samba won't start when an include statement in smb.conf has a variable substitution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1583324/+subscriptions -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
