Univention Bugzilla – Bug 52130
samba: Multiple issues (4.4)
Last modified: 2020-10-29 16:17:43 CET
With Samba 4.10.18 a mitigation for Zerologin is available, in that schannel can be deactivated for individual hosts, and has not to be deactivated globally. Example smb.conf options from the announcement: server schannel = yes server require schannel:triceratops$ = no server require schannel:greywacke$ = no Initially reported here with Bug #52041 [CVE-2020-1472] Zerologin impact on Samba in UCS
/usr/share/ucs-test/50_samba/41password_change Seems that this -S DC_IP for the "net" command is a problem now, without it the test works. We added this parameter in bug #31794 because of the "The semaphore time-out period has expired." error during the "net" command. That did not really fix the problem, later we just ignored the "The semaphore time-out period has expired." error. So i think it's ok to just remove -S $dc --- a/test/ucs-test/tests/50_samba/41password_change +++ b/test/ucs-test/tests/50_samba/41password_change @@ -73,13 +73,10 @@ do sleep 1 done -dc="$(net lookup dc | sort -R | head -1)" -test -n "$dc" && dc="-S $dc" - ##changing the password with net rpc / samba echo "----changing the password with net $net_mode" -echo "net $net_mode password \"$username\" \"$second_password\" -U\"$admin_account%$tests_domainadmin_pwd\" $dc" -net $net_mode password "$username" "$second_password" -U"$admin_account%$tests_domainadmin_pwd" $dc +echo "net $net_mode password \"$username\" \"$second_password\" -U\"$admin_account%$tests_domainadmin_pwd\"" +net $net_mode password "$username" "$second_password" -U"$admin_account%$tests_domainadmin_pwd" if [ "$?" != 0 ];then error "net $net_mode password change returned a non-zero exit code: $?. Continuing anyway, see Bug #31794" fi Also i made this kdestroy change in 53_samba-common/0000_restart_samba 55c2c372bd837d2d4b32ed4d940e1a88272e128f, do we want to rename the test?
Patches merged by Julia in svn rev19167-19175 Felix will test the remaining issues with samba pdc with a Windows machine, we suspect that this is only an issue with smbclient from the same machine in our testcases. YAML is commited in git rev 53a7371db. Final package version and text will be merged via bug 52233.
(In reply to Erik Damrose from comment #6) > Patches merged by Julia in svn rev19167-19175 > Felix will test the remaining issues with samba pdc with a Windows machine, > we suspect that this is only an issue with smbclient from the same machine > in our testcases. My samba pdc tests failed, but also with the current samba version 2:4.10.1-1A~4.4.0.2020100715 -> see Bug #52276. We ignore this here now because it is not a problem of this update, needs to be discussed/fixed on Bug #52276.
7f88c587d64aedff4af004993ff9238f4aa78ffe - removed -S DC_IP for the net password command - added kdestroy to some (smbclient) tests -> Bug 52277 b8074b1e1ed65cdd9cd4f8e02381054b94d34aa9 - removed 53_samba-common/0000_restart_samba TODO check test tomorrow and cherry-pick those changes to 5.0-0 Rest looks good
OK - tests look good cherry-picked 7f88c587d64aedff4af004993ff9238f4aa78ffe to 5.0-0
<https://errata.software-univention.de/#/?erratum=4.4x787>