Bug 1925192

Summary: Write a RN about the changed "wide links" feature in Samba 4.13.0
Product: Red Hat Enterprise Linux 8 Reporter: Marc Muehlfeld <mmuehlfe>
Component: doc-Release_Notes-8-en-USAssignee: Lucie Vařáková <lmanasko>
Status: CLOSED CURRENTRELEASE QA Contact: RHEL DPM <rhel-docs>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: medium    
Version: 8.3CC: abokovoy, asn, lmanasko, rhel-docs
Target Milestone: rcKeywords: Documentation, FutureFeature, Triaged
Target Release: 8.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
.The Samba `wide links` feature has been converted to a VFS module Previously, the `wide links` parameter was part of the `smbd` service's core functionality. Enabling this feature is insecure and, therefore, has been moved into a separate virtual file system (VFS) module named `widelinks`. For backward compatibility, Samba in RHEL 8.4 automatically loads this module for shares that have `wide links = yes` set in their configuration. Important: Red Hat recommends not to use the insecure `wide links` feature. Instead, use a `bind mount` to mount a part of the file hierarchy to a directory that you shared in Samba. For details about configuring a bind mount, see the `Bind mount operation` section in the `mount(8)` man page. To switch from a configuration that uses `wide links` to `bind mount`: . For every symbolic link that links outside of a share, replace the link with a `bind mount`. For details, see the `Bind mount operation` section in the `mount(8)` man page. . Remove all `wide links = yes` entries from the `/etc/samba/smb.conf` file. . Reload Samba: + ---- # smbcontrol all reload-config ----
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 06:46:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc Muehlfeld 2021-02-04 15:01:12 UTC 
Samba 4.13.0 changes how to use the "wide links" parameter:

https://www.samba.org/samba/history/samba-4.13.0.html

wide links functionality

For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.

A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.



Since this is too much information to mention in the aggregated RN about Samba in RHEL 8.4, we need a separate one.
Comment 10 CongLi 2021-05-26 06:12:09 UTC 
Hi,

Since the issue described in this bug should be resolved (VERIFIED), could you please close this bug with resolution 'CURRENTRELEASE' if this bug got fixed ?

If the fix for this is not released yet, check if this will ever get fixed. In case of a negative answer then please change it as WONTFIX.

If there's anything else to be done on this BZ, if it's still active, not released yet and we actually intend to release it, then please ignore my message.

Please note: for those bugs which are not included in errata, please add 'TestOnly' keyword, and those bugs with 'TestOnly' keyword will be closed automatically after GA.
TestOnly: Use this when there is no code delivery involved, or for use when code is already upstream and will be incorporated automatically to the next release for testing purposes only.

Thank you.