Bug 1754409

Summary: Rebase Samba to 4.11.x
Product: Red Hat Enterprise Linux 8 Reporter: Isaac Boukris <iboukris>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 8.2CC: asn, gdeschner, iboukris, jarrpa, jstephen, mkosek
Target Milestone: rcKeywords: Rebase
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba-4.11.2-3.el8 Doc Type: Enhancement
Doc Text:
._samba_ rebased to version 4.11.2 The _samba_ packages have been upgraded to upstream version 4.11.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include: * By default, the server message block version 1 (SMB1) protocol is now disabled in the Samba server, client utilities, and the `libsmbclient` library. However, you can still set the `server min protocol` and `client min protocol` parameters manually to `NT1` to re-enable SMB1. Red Hat does not recommend to re-enabling the SMB1 protocol. * The `lanman auth` and `encrypt passwords` parameters are deprecated. These parameters enable insecure authentication and are only available in the deprecated SMB1 protocol. * The `-o` parameter has been removed from the `onode` clustered trivial database (CTDB) utility. * Samba now uses the GnuTLS library for encryption. As a result, if the FIPS mode in RHEL is enabled, Samba is compliant with the FIPS standard. * The `ctdbd` service now logs when it uses more than 90% of a CPU thread. * The deprecated Python 2 support has been removed. Samba automatically updates its `tdb` database files when the `smbd`, `nmbd`, or `winbind` service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading `tdb` database files. For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.11.0.html
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:58:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1754417, 1754420, 1754421, 1754423    
Bug Blocks:    

Description Isaac Boukris 2019-09-23 07:58:51 UTC 
The samba team wants to upgrade samba to version 4.11.x for initial FIPS support.
Comment 1 Andreas Schneider 2019-11-29 08:23:13 UTC 
IMPORTANT


SMB1 is disabled by default
---------------------------

The defaults of 'client min protocol' and 'server min protocol'
have been changed to SMB2_02.

This means clients without support for SMB2 or SMB3 are no longer
able to connect to smbd (by default).

It also means client tools like smbclient and other,
as well as applications making use of libsmbclient are no longer
able to connect to servers without SMB2 or SMB3 support (by default).

It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2
and LANMAN1 for client and server, as well as CORE and COREPLUS on
the client.

Note that most commandline tools e.g. smbclient, smbcacls and others
also support the '--option' argument to overwrite smb.conf options,
e.g. --option='client min protocol=NT1' might be useful.

As Microsoft no longer installs SMB1 support in recent releases
or uninstalls it after 30 days without usage, the Samba Team
tries to get remove the SMB1 usage as much as possible.

SMB1 is officially deprecated and might be removed step by step
in the following years. If you have a strong requirement for SMB1
(except for supporting old Linux Kernels), please file a bug
at https://bugzilla.samba.org and let us know about the details.
Comment 4 Andreas Schneider 2019-12-03 11:33:02 UTC 
1. We need to rebuild the package in the required side-tag to pass gating of libtalloc, libtevent, libtdb, libldb, samba, sssd and openchange. For this we need to bump the release number.
2. Risk is low
3. -
Comment 7 Andreas Schneider 2020-01-10 08:36:45 UTC 
Looks fine for me, thanks!
Comment 9 errata-xmlrpc 2020-04-28 16:58:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1878