RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1878109 - Rebase Samba to the the latest 4.13.x release
Summary: Rebase Samba to the the latest 4.13.x release
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: samba
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Andreas Schneider
QA Contact: sssd-qe
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1878111 1878112 1878113 1878114
Blocks: 1793411 1894575 1898866
TreeView+ depends on / blocked
 
Reported: 2020-09-11 10:57 UTC by Andreas Schneider
Modified: 2024-10-01 16:52 UTC (History)
8 users (show)

Fixed In Version: samba-4.13.2-1.el8
Doc Type: Enhancement
Doc Text:
._samba_ rebased to version 4.13.2 The _samba_ packages have been upgraded to upstream version 4.13.2, which provides a number of bug fixes and enhancements over the previous version: * To avoid a security issue that allows unauthenticated users to take over a domain using the `netlogon` protocol, ensure that your Samba servers use the default value (`yes`) of the `server schannel` parameter. To verify, use the `testparm -v | grep 'server schannel'` command. For further details, see link:https://www.samba.org/samba/security/CVE-2020-1472.html[CVE-2020-1472]. * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/bug_fixes#BZ-1925192[The Samba "wide links" feature has been converted to a VFS module]. * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/deprecated_functionality#BZ-1926114[Running Samba as a PDC or BDC is deprecated]. * You can now use Samba on RHEL with FIPS mode enabled. Due to the restrictions of the FIPS mode: ** You cannot use NT LAN Manager (NTLM) authentication because the RC4 cipher is blocked. ** By default in FIPS mode, Samba client utilities use Kerberos authentication with AES ciphers. ** You can use Samba as a domain member only in Active Directory (AD) or Red Hat Identity Management (IdM) environments with Kerberos authentication that uses AES ciphers. Note that Red Hat continues supporting the primary domain controller (PDC) functionality IdM uses in the background. * The following parameters for less-secure authentication methods, which are only usable over the server message block version 1 (SMB1) protocol, are now deprecated: ** `client plaintext auth` ** `client NTLMv2 auth` ** `client lanman auth` ** `client use spnego` * An issue with the GlusterFS write-behind performance translator, when used with Samba, has been fixed to avoid data corruption. * The minimum runtime support is now Python 3.6. * The deprecated `ldap ssl ads` parameter has been removed. Samba automatically updates its `tdb` database files when the `smbd`, `nmbd`, or `winbind` service starts. Back up the database files before starting Samba. Note that Red Hat does not support downgrading `tdb` database files. For further information about notable changes, read the link:https://www.samba.org/samba/history/samba-4.13.0.html[upstream release notes] before updating.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:59:16 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SSSD-3200 0 None None None 2024-10-01 16:52:57 UTC
Red Hat Knowledge Base (Solution) 6041501 0 None None None 2021-05-13 14:51:01 UTC

Description Andreas Schneider 2020-09-11 10:57:45 UTC 
Description of problem:

Rebase Samba to the latest 4.13 release to get improved FIPS support.


wide links functionality
------------------------

For this release, the code implementing the insecure "wide links = yes"
functionality has been moved out of the core smbd code and into a separate
VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded
by smbd as the last but one module before vfs_default if "wide links = yes"
is enabled on the share (note, the existing restrictions on enabling wide
links around the SMB1 "unix extensions" and the "allow insecure wide links"
parameters are still in force). The implicit loading was done to allow
existing users of "wide links = yes" to keep this functionality without
having to make a change to existing working smb.conf files.

Please note that the Samba developers recommend changing any Samba
installations that currently use "wide links = yes" to use bind mounts
as soon as possible, as "wide links = yes" is an inherently insecure
configuration which we would like to remove from Samba. Moving the
feature into a VFS module allows this to be done in a cleaner way
in future.

A future release to be determined will remove this implicit linkage,
causing administrators who need this functionality to have to explicitly
add the vfs_widelinks module into the "vfs objects =" parameter lists.
The release notes will be updated to note this change when it occurs.


NT4-like 'classic' Samba domain controllers
-------------------------------------------

Samba 4.13 deprecates Samba's original domain controller mode.

Sites using Samba as a Domain Controller should upgrade from the
NT4-like 'classic' Domain Controller to a Samba Active Directory DC
to ensure full operation with modern windows clients.

SMBv1 only protocol options deprecated
--------------------------------------

A number of smb.conf parameters for less-secure authentication methods
which are only possible over SMBv1 are deprecated in this release.

REMOVED FEATURES
================

The deprecated "ldap ssl ads" smb.conf option has been removed.

smb.conf changes
================

  Parameter Name                     Description                Default
  --------------                     -----------                -------
  ldap ssl ads                       removed
  smb2 disable lock sequence checking                           No
  domain logons                      Deprecated                 no
  raw NTLMv2 auth                    Deprecated                 no
  client plaintext auth              Deprecated                 no
  client NTLMv2 auth                 Deprecated                 yes
  client lanman auth                 Deprecated                 no
  client use spnego                  Deprecated                 yes
Comment 5 Andreas Schneider 2020-11-17 09:36:50 UTC 
Check "Doc Text" of https://bugzilla.redhat.com/show_bug.cgi?id=1851442 too!
Comment 11 errata-xmlrpc 2021-05-18 14:59:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1647
Note You need to log in before you can comment on or make changes to this bug.