Bug 1878109

Summary: Rebase Samba to the the latest 4.13.x release
Product: Red Hat Enterprise Linux 8 Reporter: Andreas Schneider <asn>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 8.4CC: abokovoy, asn, dkarpele, gdeschner, jarrpa, jshivers, mmuehlfe, nsoman
Target Milestone: rcKeywords: Rebase, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba-4.13.2-1.el8 Doc Type: Enhancement
Doc Text:
._samba_ rebased to version 4.13.2 The _samba_ packages have been upgraded to upstream version 4.13.2, which provides a number of bug fixes and enhancements over the previous version: * To avoid a security issue that allows unauthenticated users to take over a domain using the `netlogon` protocol, ensure that your Samba servers use the default value (`yes`) of the `server schannel` parameter. To verify, use the `testparm -v | grep 'server schannel'` command. For further details, see link:https://www.samba.org/samba/security/CVE-2020-1472.html[CVE-2020-1472]. * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/bug_fixes#BZ-1925192[The Samba "wide links" feature has been converted to a VFS module]. * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/deprecated_functionality#BZ-1926114[Running Samba as a PDC or BDC is deprecated]. * You can now use Samba on RHEL with FIPS mode enabled. Due to the restrictions of the FIPS mode: ** You cannot use NT LAN Manager (NTLM) authentication because the RC4 cipher is blocked. ** By default in FIPS mode, Samba client utilities use Kerberos authentication with AES ciphers. ** You can use Samba as a domain member only in Active Directory (AD) or Red Hat Identity Management (IdM) environments with Kerberos authentication that uses AES ciphers. Note that Red Hat continues supporting the primary domain controller (PDC) functionality IdM uses in the background. * The following parameters for less-secure authentication methods, which are only usable over the server message block version 1 (SMB1) protocol, are now deprecated: ** `client plaintext auth` ** `client NTLMv2 auth` ** `client lanman auth` ** `client use spnego` * An issue with the GlusterFS write-behind performance translator, when used with Samba, has been fixed to avoid data corruption. * The minimum runtime support is now Python 3.6. * The deprecated `ldap ssl ads` parameter has been removed. Samba automatically updates its `tdb` database files when the `smbd`, `nmbd`, or `winbind` service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading `tdb` database files. For further information about notable changes, read the link:https://www.samba.org/samba/history/samba-4.13.0.html[upstream release notes] before updating.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:59:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1878111, 1878112, 1878113, 1878114    
Bug Blocks: 1793411, 1894575, 1898866    

Description Andreas Schneider 2020-09-11 10:57:45 UTC 
Description of problem:

Rebase Samba to the latest 4.13 release to get improved FIPS support.


wide links functionality
------------------------

For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.

A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.


NT4-like 'classic' Samba domain controllers
-------------------------------------------

Samba 4.13 deprecates Samba's original domain controller mode.

Sites using Samba as a Domain Controller should upgrade from the
NT4-like 'classic' Domain Controller to a Samba Active Directory DC
to ensure full operation with modern windows clients.

SMBv1 only protocol options deprecated
--------------------------------------

A number of smb.conf parameters for less-secure authentication methods
which are only possible over SMBv1 are deprecated in this release.

REMOVED FEATURES
================

The deprecated "ldap ssl ads" smb.conf option has been removed.

smb.conf changes
================

  Parameter Name                     Description                Default
  --------------                     -----------                -------
  ldap ssl ads                       removed
  smb2 disable lock sequence checking                           No
  domain logons                      Deprecated                 no
  raw NTLMv2 auth                    Deprecated                 no
  client plaintext auth              Deprecated                 no
  client NTLMv2 auth                 Deprecated                 yes
  client lanman auth                 Deprecated                 no
  client use spnego                  Deprecated                 yes
Comment 5 Andreas Schneider 2020-11-17 09:36:50 UTC 
Check "Doc Text" of https://bugzilla.redhat.com/show_bug.cgi?id=1851442 too!
Comment 11 errata-xmlrpc 2021-05-18 14:59:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1647