Univention Bugzilla – Bug 54995
samba: Multiple issues (4.4)
Last modified: 2022-07-28 09:11:34 CEST
Upstream provided combined patches which I added like this: * 98_CVE-2022-2031+32744-backport-for-4.10.quilt * 98_CVE-2022-32742.quilt * 98_CVE-2022-32745+32746.quilt I extracted the ldb specific patches from 98_CVE-2022-32745+32746.quilt and commited them to svn/patches/ldb/4.4-0-0-ucs/2:1.5.9-1-errata4.4-9, extracted the last patch from that file, which updates the library soversion and the symbols, and moved it directly into the source package as ldb-1.5.9/debian/patches/15_ldb_ver_1.5.9.patch Then I've imported and built a new source package version 1.5.9 into errata4.4-9. I also added and updated the missing patch 98_CVE-2020-25717+25718+25719+25721+25722-security-2021-11-v4.10-v13-bug14725.patches-ldb.quilt r19671 | Bug #54995: uncommitted patch for Bug #54014 r19673 | patch merged by repo-ng - from ldb/4.4-0-0-ucs/2:1.5.8-1-errata4.4-8 to ldb/4.4-0-0-ucs/2:1.5.8-1-errata4.4-9 r19674 | Bug #54995: uncommitted patch for Bug #54014 r19675 | Bug #54995: uncommitted patch for Bug #54014 r19676 | Bug #54995: New upsteam patches r19677 | patch merged by repo-ng - from ldb/4.4-0-0-ucs/2:1.5.8-1-errata4.4-9 to ldb/4.4-0-0-ucs/2:1.5.9-1-errata4.4-9 r19678 | Bug #54995: Activate uncommitted patch for Bug #54014 r19679 | Bug #54995: Adjust patch to updated source package version r19680 | Bug #54995: add hex_byte from original patch for Bug #54014 r19681 | Bug #54995: update symbols r19682 | Bug #54995: update symbols r19683 | Bug #54995: update symbols Package: ldb Version: 2:1.5.9-1A~4.4.0.202207251715 Branch: ucs_4.4-0 Scope: errata4.4-9 * repo_admin.py --cherrypick --release 4.4-0 --source errata4.4-8 --releasedest 4.4-0 --dest errata4.4-9 --package samba r19672 | patch merged by repo-ng - from samba/4.4-0-0-ucs/2:4.10.18-1-errata4.4-8 to samba/4.4-0-0-ucs/2:4.10.18-1-errata4.4-9 r19684 | remove renamed patches r19685 | upstream backport: kpasswd_bugs_v15_4-10.patch r19686 | upstream backport: CVE-2022-32745-ldb-memory-bug-4.10.patch r19687 | upstream patch r19688 | Bug #54995: adjust patch to 34_samba_dns_tomstone.quilt Package: samba Version: 2:4.10.18-1A~4.4.0.202207251743 Branch: ucs_4.4-0 Scope: errata4.4-9 I've also rebuilt univention-ldb-modules: Package: univention-ldb-modules Version: 7.0.0-8A~4.4.0.202207251806 Branch: ucs_4.4-0 Scope: errata4.4-9 01d46f313f | Advisories
After updating samba on a 4.4-9 server, the following error appears, and not all samba services are started correctly. univention-s4search fails with Failed to connect to ldap URL 'ldaps://ucsmaster.mydomain.intranet' - LDAP client internal error: NT_STATUS_CONNECTION_REFUSED log: ==> /var/log/samba/log.samba <== [2022/07/25 19:55:40.574160, 0, pid=5066] ../../source4/smbd/server.c:587(binary_smbd_main) samba version 4.10.18-Univention started. Copyright Andrew Tridgell and the Samba Team 1992-2019 [2022/07/25 19:55:40.958563, 0, pid=5067] ../../source4/smbd/server.c:773(binary_smbd_main) binary_smbd_main: samba: using 'standard' process model [2022/07/25 19:55:40.969947, 0, pid=5067] ../../source4/smbd/service.c:108(server_service_startup) server_service_startup: Failed to start service 'kdc' - NT_STATUS_INVALID_SYSTEM_SERVICE [2022/07/25 19:55:40.973103, 0, pid=5067] ../../lib/util/become_daemon.c:122(exit_daemon) exit_daemon: daemon failed to start: Samba failed to start services, error code -1073741796
root@master60:~# ldd /usr/lib/x86_64-linux-gnu/samba/service/kdc.so | grep libgensec libgensec_module_krb5.so => not found libgensec.so.0 => /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0 (0x00007f2595790000) It works if I "cp ./bin/default/source4/auth/gensec/libgensec_module_krb5.inst.so /usr/lib/x86_64-linux-gnu/samba/libgensec_module_krb5.so" from a locally compiled build. OTOH with the updated Samba 4.16.2 this dependency is not there.
Temporary workaround to obtain test results while we discuss a proper solution with upstream: r19689 | Workaround for waf not installing the dependency of the kdc.so service library r19690 | fix patch r19691 | fix patch Package: samba Version: 2:4.10.18-1A~4.4.0.202207261324 Branch: ucs_4.4-0 Scope: errata4.4-9 Advisory will be updated later anyway.
QA results so far: OK: adapted backported patches * 98_CVE-2022-2031+32744-backport-for-4.10.quilt * 98_CVE-2022-32742.quilt * 98_CVE-2022-32745+32746.quilt OK: Workaround patch for so file samba 2:4.10.18-1A~4.4.0.202207261324 ldb 2:1.5.9-1A~4.4.0.202207251715 univention-ldb-modules 7.0.0-8A~4.4.0.202207251806
fcfb7cf8c4 | Advisories
71c8444a88 | Fix for Advisory
OK: errata-announce -V --only samba.yaml OK: samba.yaml OK: errata-announce -V --only ldb.yaml OK: ldb.yaml OK: errata-announce -V --only univention-ldb-modules.yaml OK: univention-ldb-modules.yaml IGN: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/Installation%20Tests/lastCompletedBuild/mode=ad-member/testReport/00_checks/01_univention_system_check/master/ OK: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/ADMemberMultiEnv/lastCompletedBuild/testReport/ OK: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoinReleased/lastCompletedBuild/testReport/ OK: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestJoin/lastCompletedBuild/testReport/ IGN: https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-9/job/AutotestUpgrade/lastCompletedBuild/testReport/ OK: dpkg-query -W python\*-samba samba\* libunivention-ldb-modules\* ldb-tools libldb\* python\*-ldb OK: univention-app install samba4 OK: univention-run-diagnostic-checks OK: systemctl status OK: less /var/log/samba/log.*
<https://errata.software-univention.de/#/?erratum=4.4x1273> <https://errata.software-univention.de/#/?erratum=4.4x1274> <https://errata.software-univention.de/#/?erratum=4.4x1275>