Univention Bugzilla – Bug 53336
preup.sh do not test if testparm is installed and this lead to wrong test result (and denial of update)
Last modified: 2021-09-16 16:06:20 CEST
The problem occured in a customer environment on a replica without samba installation, may occur also in other scenarios. The problem seems to be, that the preup.sh always checks if schannel is activated and this test needs testparm. On a machine without samba testparm is not on the system and the test fails and the update is denied. +++ This bug was initially created as a clone of Bug #49898 +++ At some point we should update to the next Samba release. This bug collects things that we should keep in mind before doing that. First point on this list: Adjust preup.sh to run testparm to check for removed smb.conf options like "server schannel = auto" ( see https://bugzilla.samba.org/show_bug.cgi?id=13464 ). If an option like that is found, the customer should be warned and asked for confirmation before updating.
The preup.sh shows: > The system can not be updated to UCS 5.0 due to the following reasons:samba_server_schannel > : > WARNING: Samba is configured with "server schannel = ", > This is extremely dangerous, see https://www.samba.org/samba/security/CVE-2020-1472.html > Please take care to change this back to "yes" before updating. > > Error: Please check "/var/log/univention/updater.log" for details. > ERROR: update failed. Please check /var/log/univention/updater.log
WIP on "juern/preupsh" [juern/preupsh 55d2b04acf] Bug #53336: check if testparm is executable TODO: Check how to deploy a new check.sh and preup.sh
@QA "apt remove samba-common-bin" to remove testparm
[5.0-0 d0025f401d] Bug #53336: check if testparm is executable preup.sh and preup.sh.gpg have been copied to apt.knut.univention.de (http://apt.knut.univention.de/dists/ucs500/) updates-test.software-univention.de (https://updates-test.software-univention.de/dists/ucs500/) Please reopen if ready for copy to production mirror
pre-update-checks-5.0-0 is only available on apt.knut.univention.de (updates-test has no download folder) http://apt.knut.univention.de/download/univention-update-checks/
(In reply to Jürn Brodersen from comment #5) > Please reopen if ready for copy to production mirror OK: check for testparm works
Copied preup.sh & preup.sh.gpg to production download server: https://updates.software-univention.de/dists/ucs500/ Copied pre-update-checks-5.0-0 & pre-update-checks-5.0-0.gpg to production download server: https://updates.software-univention.de/download/univention-update-checks/ I did a quick check: upgrade can be started and new srcipt is used. and this snippet from the release notes: """ # download curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-0{.gpg,} # verify and run script apt-key verify pre-update-checks-5.0-0{.gpg,} && bash pre-update-checks-5.0-0 """
OK