diff options
author | Rosen Penev <rosenp@gmail.com> | 2019-08-31 18:50:48 -0700 |
---|---|---|
committer | Stijn Tintel <stijn@linux-ipv6.be> | 2020-05-08 03:32:52 +0300 |
commit | 73fa1aba94f5cf566007ac18cee3ef08b3ae64bc (patch) | |
tree | 12d94da20915031cd34260409e6355c8e05b66b7 /package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch | |
parent | 79da9d78b98e1cd4574a37e2c4c5f8315b91563d (diff) | |
download | upstream-73fa1aba94f5cf566007ac18cee3ef08b3ae64bc.tar.gz upstream-73fa1aba94f5cf566007ac18cee3ef08b3ae64bc.tar.bz2 upstream-73fa1aba94f5cf566007ac18cee3ef08b3ae64bc.zip |
samba36: Remove
Samba 3.6 is completely unsupported, in addition to having tons of patches
It also causes kernel panics on some platforms when sendfile is enabled.
Example:
https://github.com/gnubee-git/GnuBee_Docs/issues/45
I have reproduced on ramips as well as mvebu in the past.
Samba 4 is an alternative available in the packages repo.
cifsd is a lightweight alternative available in the packages repo. It is
also a faster alternative to both Samba versions (lower CPU usage). It
was renamed to ksmbd.
To summarize, here are the alternatives:
- ksmbd + luci-app-cifsd
- samba4 + luci-app-samba4
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[drop samba36-server from GEMINI_NAS_PACKAGES, ksmbd rename + summary]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Diffstat (limited to 'package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch')
-rw-r--r-- | package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch | 256 |
1 files changed, 0 insertions, 256 deletions
diff --git a/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch b/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch deleted file mode 100644 index 5618fb4eff..0000000000 --- a/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch +++ /dev/null @@ -1,256 +0,0 @@ -From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher <metze@samba.org> -Date: Sat, 27 Feb 2016 03:43:58 +0100 -Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 - -Signed-off-by: Stefan Metzmacher <metze@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> ---- - docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++ - docs-xml/smbdotconf/security/clientsigning.xml | 3 +++ - source3/include/proto.h | 1 + - source3/param/loadparm.c | 12 ++++++++++++ - 4 files changed, 39 insertions(+) - create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml - ---- /dev/null -+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml -@@ -0,0 +1,23 @@ -+<samba:parameter name="client ipc signing" -+ context="G" -+ type="enum" -+ enumlist="enum_smb_signing_vals" -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> -+<description> -+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$ -+ connections as DCERPC transport inside of winbind. Possible values -+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> -+ and <emphasis>disabled</emphasis>. -+ </para> -+ -+ <para>When set to auto, SMB signing is offered, but not enforced and if set -+ to disabled, SMB signing is not offered either.</para> -+ -+ <para>Connections from winbindd to Active Directory Domain Controllers -+ always enforce signing.</para> -+</description> -+ -+<related>client signing</related> -+ -+<value type="default">mandatory</value> -+</samba:parameter> ---- a/docs-xml/smbdotconf/security/clientsigning.xml -+++ b/docs-xml/smbdotconf/security/clientsigning.xml -@@ -12,6 +12,9 @@ - <para>When set to auto, SMB signing is offered, but not enforced. - When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either. -+ -+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the -+ <smbconfoption name="client ipc signing"/> option.</para> - </para> - </description> - ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void); - int lp_winbind_reconnect_delay(void); - int lp_winbind_max_clients(void); - const char **lp_winbind_nss_info(void); -+bool lp_winbind_sealed_pipes(void); - int lp_algorithmic_rid_base(void); - int lp_name_cache_timeout(void); - int lp_client_signing(void); -+int lp_client_ipc_signing(void); - int lp_server_signing(void); - int lp_client_ldap_sasl_wrapping(void); - char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def); ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -215,6 +215,7 @@ struct global { - int winbind_expand_groups; - bool bWinbindRefreshTickets; - bool bWinbindOfflineLogon; -+ bool bWinbindSealedPipes; - bool bWinbindNormalizeNames; - bool bWinbindRpcOnly; - bool bCreateKrb5Conf; -@@ -366,6 +367,7 @@ struct global { - int restrict_anonymous; - int name_cache_timeout; - int client_signing; -+ int client_ipc_signing; - int server_signing; - int client_ldap_sasl_wrapping; - int iUsershareMaxShares; -@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] = - .flags = FLAG_ADVANCED, - }, - { -+ .label = "client ipc signing", -+ .type = P_ENUM, -+ .p_class = P_GLOBAL, -+ .ptr = &Globals.client_ipc_signing, -+ .special = NULL, -+ .enum_list = enum_smb_signing_vals, -+ .flags = FLAG_ADVANCED, -+ }, -+ { - .label = "server signing", - .type = P_ENUM, - .p_class = P_GLOBAL, -@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] = - .flags = FLAG_ADVANCED, - }, - { -+ .label = "winbind sealed pipes", -+ .type = P_BOOL, -+ .p_class = P_GLOBAL, -+ .ptr = &Globals.bWinbindSealedPipes, -+ .special = NULL, -+ .enum_list = NULL, -+ .flags = FLAG_ADVANCED, -+ }, -+ { - .label = "winbind normalize names", - .type = P_BOOL, - .p_class = P_GLOBAL, -@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo - Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL); - Globals.bWinbindRefreshTickets = False; - Globals.bWinbindOfflineLogon = False; -+ Globals.bWinbindSealedPipes = True; - - Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */ - Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */ -@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo - Globals.bClientUseSpnego = True; - - Globals.client_signing = Auto; -+ Globals.client_ipc_signing = Required; - Globals.server_signing = False; - - Globals.bDeferSharingViolations = True; -@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, - FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups) - FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) - FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) -+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes) - FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames) - FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly) - FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf) -@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo - FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase) - FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout) - FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing) -+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing) - FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing) - FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping) - -@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn - lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1"); - } - -+ if (!lp_is_in_client()) { -+ switch (lp_client_ipc_signing()) { -+ case Required: -+ lp_set_cmdline("client signing", "mandatory"); -+ break; -+ case Auto: -+ lp_set_cmdline("client signing", "auto"); -+ break; -+ case False: -+ lp_set_cmdline("client signing", "disabled"); -+ break; -+ } -+ } -+ - init_iconv(); - - bAllowIncludeRegistry = true; ---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c -+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c -@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st - "", /* username */ - "", /* domain */ - "", /* password */ -- 0, lp_client_signing()); -+ 0, False); - - if ( !NT_STATUS_IS_OK( ret ) ) { - DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n", ---- /dev/null -+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml -@@ -0,0 +1,15 @@ -+<samba:parameter name="winbind sealed pipes" -+ context="G" -+ type="boolean" -+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> -+<description> -+ <para>This option controls whether any requests from winbindd to domain controllers -+ pipe will be sealed. Disabling sealing can be useful for debugging -+ purposes.</para> -+ -+ <para>The behavior can be controlled per netbios domain -+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para> -+</description> -+ -+<value type="default">yes</value> -+</samba:parameter> ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_ - TALLOC_FREE(conn->samr_pipe); - - anonymous: -+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { -+ status = NT_STATUS_DOWNGRADE_DETECTED; -+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " -+ "without connection level security, " -+ "must set 'winbind sealed pipes = false' " -+ "to proceed: %s\n", -+ domain->name, nt_errstr(status))); -+ goto done; -+ } - - /* Finally fall back to anonymous. */ - status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id, -@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_ - - anonymous: - -+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { -+ result = NT_STATUS_DOWNGRADE_DETECTED; -+ DEBUG(1, ("Unwilling to make LSA connection to domain %s " -+ "without connection level security, " -+ "must set 'winbind sealed pipes = false' " -+ "to proceed: %s\n", -+ domain->name, nt_errstr(result))); -+ goto done; -+ } -+ - result = cli_rpc_pipe_open_noauth(conn->cli, - &ndr_table_lsarpc.syntax_id, - &conn->lsa_pipe); -@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb - - no_schannel: - if ((lp_client_schannel() == False) || -- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { -+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { -+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { -+ result = NT_STATUS_DOWNGRADE_DETECTED; -+ DEBUG(1, ("Unwilling to make connection to domain %s " -+ "without connection level security, " -+ "must set 'winbind sealed pipes = false' " -+ "to proceed: %s\n", -+ domain->name, nt_errstr(result))); -+ TALLOC_FREE(netlogon_pipe); -+ invalidate_cm_connection(conn); -+ return result; -+ } - /* - * NetSamLogonEx only works for schannel - */ |