RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1754409 - Rebase Samba to 4.11.x
Summary: Rebase Samba to 4.11.x
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: samba
Version: 8.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Andreas Schneider
QA Contact: Andrej Dzilský
Marc Muehlfeld
Depends On: 1754417 1754420 1754421 1754423
TreeView+ depends on / blocked
Reported: 2019-09-23 07:58 UTC by Isaac Boukris
Modified: 2021-08-30 13:16 UTC (History)
6 users (show)

Fixed In Version: samba-4.11.2-3.el8
Doc Type: Enhancement
Doc Text:
._samba_ rebased to version 4.11.2 The _samba_ packages have been upgraded to upstream version 4.11.2, which provides a number of bug fixes and enhancements over the previous version. Notable changes include: * By default, the server message block version 1 (SMB1) protocol is now disabled in the Samba server, client utilities, and the `libsmbclient` library. However, you can still set the `server min protocol` and `client min protocol` parameters manually to `NT1` to re-enable SMB1. Red Hat does not recommend to re-enabling the SMB1 protocol. * The `lanman auth` and `encrypt passwords` parameters are deprecated. These parameters enable insecure authentication and are only available in the deprecated SMB1 protocol. * The `-o` parameter has been removed from the `onode` clustered trivial database (CTDB) utility. * Samba now uses the GnuTLS library for encryption. As a result, if the FIPS mode in RHEL is enabled, Samba is compliant with the FIPS standard. * The `ctdbd` service now logs when it uses more than 90% of a CPU thread. * The deprecated Python 2 support has been removed. Samba automatically updates its `tdb` database files when the `smbd`, `nmbd`, or `winbind` service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading `tdb` database files. For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.11.0.html
Clone Of:
Last Closed: 2020-04-28 16:58:36 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1878 0 None None None 2020-04-28 16:59:11 UTC

Description Isaac Boukris 2019-09-23 07:58:51 UTC
The samba team wants to upgrade samba to version 4.11.x for initial FIPS support.

Comment 1 Andreas Schneider 2019-11-29 08:23:13 UTC

SMB1 is disabled by default

The defaults of 'client min protocol' and 'server min protocol'
have been changed to SMB2_02.

This means clients without support for SMB2 or SMB3 are no longer
able to connect to smbd (by default).

It also means client tools like smbclient and other,
as well as applications making use of libsmbclient are no longer
able to connect to servers without SMB2 or SMB3 support (by default).

It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2
and LANMAN1 for client and server, as well as CORE and COREPLUS on
the client.

Note that most commandline tools e.g. smbclient, smbcacls and others
also support the '--option' argument to overwrite smb.conf options,
e.g. --option='client min protocol=NT1' might be useful.

As Microsoft no longer installs SMB1 support in recent releases
or uninstalls it after 30 days without usage, the Samba Team
tries to get remove the SMB1 usage as much as possible.

SMB1 is officially deprecated and might be removed step by step
in the following years. If you have a strong requirement for SMB1
(except for supporting old Linux Kernels), please file a bug
at https://bugzilla.samba.org and let us know about the details.

Comment 4 Andreas Schneider 2019-12-03 11:33:02 UTC
1. We need to rebuild the package in the required side-tag to pass gating of libtalloc, libtevent, libtdb, libldb, samba, sssd and openchange. For this we need to bump the release number.
2. Risk is low
3. -

Comment 7 Andreas Schneider 2020-01-10 08:36:45 UTC
Looks fine for me, thanks!

Comment 9 errata-xmlrpc 2020-04-28 16:58:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.