Ubuntu
samba package

Merge ~kstenerud/ubuntu/+source/samba:bionic-samba-eexist-1801227 into ubuntu/+source/samba:ubuntu/bionic-devel

  1. Git
  2. lp:~kstenerud/ubuntu/+source/samba
  3. bionic-samba-eexist-1801227
  4. Merge into ubuntu/bionic-devel
Proposed by Karl Stenerud
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 4f81d752ad1daac7575255baba1721358d5fa52e
Merge reported by: Andreas Hasenack
Merged at revision: 4f81d752ad1daac7575255baba1721358d5fa52e
Proposed branch: ~kstenerud/ubuntu/+source/samba:bionic-samba-eexist-1801227
Merge into: ubuntu/+source/samba:ubuntu/bionic-devel
Diff against target: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/auth-fail-eexist.diff (+32/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
Review via email: mp+359602@code.launchpad.net

Description of the change

This upstream patch fixes a regression in Samba 4.7, where the server responds with EEXISTS rather than EACCESS or EPERM on a failed login (or attempt to use guest access on a protected resource), resulting in confusing error messages to the user.

PPA: https://launchpad.net/~kstenerud/+archive/ubuntu/bionic-samba-eexist-3-1801227

Steps to test:

# lxc launch ubuntu:bionic tester && lxc exec tester bash
# apt update && apt dist-upgrade -y && apt install -y samba gvfs libglib2.0-bin gvfs-bin gvfs-backends dbus-x11 &&
echo "
[global]
workgroup = WORKGROUP
security = user
map to guest = bad user
[test]
    path = /tmp
    browseable = yes
    read only = yes
    valid users = someone
" >/etc/samba/smb.conf &&
service smbd restart
# su - -c "dbus-launch gio mount -a smb://localhost/test" ubuntu
gio: smb://localhost/test/: Failed to mount Windows share: File exists

# add-apt-repository -y ppa:kstenerud/bionic-samba-eexist-3-1801227 && apt update && apt dist-upgrade -y
# su - -c "dbus-launch gio mount -a smb://localhost/test" ubuntu
gio: smb://localhost/test/: Anonymous access denied

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

n/f, comments inline

review: Needs Fixing
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

You also need to rebase, as the security team issued a security release which took over your ubuntu2.5 version.

review: Needs Fixing
Revision history for this message
Karl Stenerud (kstenerud) wrote :

Rebased and updated to have dep3 header, version ubuntu2.6.

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Karl Stenerud (kstenerud) wrote :

Whoops. I updated it in one place only. Now updated in both.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, looks good now. I created a bileto ticket to check the dep8 tests on all arches: https://bileto.ubuntu.com/#/ticket/3544

I'm handling that bit, but you are welcome to monitor it as well. Once it's done and we are satisfied with the results (should take a few hours), I'll sponsor 4f81d752ad1daac7575255baba1721358d5fa52e

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The tests completed fine (https://bileto.ubuntu.com/excuses/3544/bionic.html) Just one red on a test that commonly fails and can be retried.

Can you confirm the hash you want sponsored please?

Revision history for this message
Karl Stenerud (kstenerud) wrote :

YEs, please sponsor 4f81d752ad1daac7575255baba1721358d5fa52e

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded.

Revision history for this message
Andreas Hasenack (ahasenack) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 572262e..2a821f6 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.6) bionic; urgency=medium
7+
8+ * d/p/auth-fail-eexist.diff: smbc_opendir should not return EEXIST with
9+ invalid login credentials. Thanks to David Mulder. (LP: #1801227)
10+
11+ -- Karl Stenerud <karl.stenerud@canonical.com> Fri, 23 Nov 2018 15:58:41 +0100
12+
13 samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.5) bionic-security; urgency=medium
14
15 * SECURITY UPDATE: Unprivileged adding of CNAME record causing loop in AD
16diff --git a/debian/patches/auth-fail-eexist.diff b/debian/patches/auth-fail-eexist.diff
17new file mode 100644
18index 0000000..3107250
19--- /dev/null
20+++ b/debian/patches/auth-fail-eexist.diff
21@@ -0,0 +1,32 @@
22+Description: smbc_opendir should not return EEXIST with invalid login credentials.
23+Author: David Mulder <dmulder@suse.com>
24+Origin: upstream, https://github.com/samba-team/samba/commit/7470b9b18af282a742929d3fc90f4be5520428a1
25+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13050
26+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/bionic/+source/samba/+bug/1801227
27+Last-Update: 2018-11-28
28+---
29+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
30+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
31+index 2d41f2fac..e6067be20 100644
32+--- a/source3/libsmb/libsmb_server.c
33++++ b/source3/libsmb/libsmb_server.c
34+@@ -360,8 +360,8 @@ SMBC_server_internal(TALLOC_CTX *ctx,
35+ "?????",
36+ *pp_password);
37+ if (!NT_STATUS_IS_OK(status)) {
38+- errno = map_errno_from_nt_status(status);
39+ cli_shutdown(srv->cli);
40++ errno = map_errno_from_nt_status(status);
41+ srv->cli = NULL;
42+ smbc_getFunctionRemoveCachedServer(context)(context,
43+ srv);
44+@@ -571,8 +571,8 @@ SMBC_server_internal(TALLOC_CTX *ctx,
45+
46+ status = cli_tree_connect_creds(c, share, "?????", creds);
47+ if (!NT_STATUS_IS_OK(status)) {
48+- errno = map_errno_from_nt_status(status);
49+ cli_shutdown(c);
50++ errno = map_errno_from_nt_status(status);
51+ return NULL;
52+ }
53+
54diff --git a/debian/patches/series b/debian/patches/series
55index 659a49f..288dfdf 100644
56--- a/debian/patches/series
57+++ b/debian/patches/series
58@@ -37,3 +37,4 @@ CVE-2018-14629.patch
59 CVE-2018-16841-1.patch
60 CVE-2018-16841-2.patch
61 CVE-2018-16851.patch
62+auth-fail-eexist.diff

Subscribers

People subscribed via source and target branches