** Description changed: [Impact] Samba in AD mode refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" This happens because the initscript calls "samba-tool testparm" to obtain a configuration parameter from smb.conf, and this testparm tool fails because it doesn't expand the %U macro and fails to read the literal filename. Note that "samba-tool testparm" is different from just "testparm". The latter doesn't fail. We could just replace one with the other in the initscript, but later on in the process of provisioning an AD controller this error is encountered again, so it's best to fix it properly. The patch is straight from an upstream commit, and that code is in place in the samba packages from bionic and cosmic already. [Test Case] * install samba: sudo apt install samba * create /etc/samba/smb.conf with this content: [global] netbios name = samba log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u server string = %h server (Samba, Ubuntu) unix password sync = Yes usershare allow guests = Yes idmap config * : backend = tdb include = /etc/samba/smb.conf.%U * run the command that fails: ubuntu@trusty-samba-include:~$ sudo samba-tool testparm -d 2 lpcfg_load: refreshing parameters from /etc/samba/smb.conf Can't find include file /etc/samba/smb.conf.%U ERROR: Unable to load default file ubuntu@trusty-samba-include:~$ echo $? 255 Note the debug level 2 message saying the include file couldn't be found. * install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file. ubuntu@trusty-samba-include:~$ sudo samba-tool testparm -d 2 --suppress-prompt lpcfg_load: refreshing parameters from /etc/samba/smb.conf Tried to load /etc/samba/smb.conf.%U but variable substitution in filename, ignoring file. # Global parameters [global] netbios name = SAMBA server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 2 log file = /var/log/samba/log.%m max log size = 1000 usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb include = /etc/samba/smb.conf.%U ubuntu@trusty-samba-include:~$ echo $? 0 We can also see the new debugging message saying that the include file was ignored because of the variable substitution. [Regression Potential] - If you happen to include a filename that has an actual "%" in its name, not followed by a letter, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though. + If you happen to include a filename that has an actual "%" in its name, followed by a letter, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though, because %<letter> is a variable and samba would try to expand it. [Other Info] + The fix and test procedure is identical for trusty and xenial. It's the same samba version in both releases of ubuntu. - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + There is still a difference in behaviour between "testparm(1)" and "samba-tool testparm". This fix only affects "samba-tool testparm": + ubuntu@trusty-samba-include:~$ testparm + Load smb config files from /etc/samba/smb.conf + Can't find include file /etc/samba/smb.conf. + (...) + Note the ending dot in the error above, that's where %U would come. testparm doesn't exit non-zero because of that, though. + [Original Description] Samba refuses to start when the smb.conf file contains an include line with a variable substitution like "include = /etc/samba/smb.conf.%U" According to the man page for smb.conf, all but a few specific variable substitutions should work. include (G) This allows you to include one config file inside another. The file is included literally, as though typed in place. It takes the standard substitutions, except %u, %P and %S. The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that this option automatically activates registry shares. Default: include = Example: include = /usr/local/samba/lib/admin_smb.conf It is probably related to this bug in samba: https://bugzilla.samba.org/show_bug.cgi?id=10722 Description: Ubuntu 16.04 LTS Release: 16.04 samba: Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1 Version table: *** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500 500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 2:4.3.8+dfsg-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
-- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1583324 Title: Samba won't start when an include statement in smb.conf has a variable substitution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1583324/+subscriptions -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
