Samba4 broken since Upgrade 4.0.6 to 4.0.14
Marc Muehlfeld
samba at marc-muehlfeld.de
Wed Jan 29 12:24:02 MST 2014
Hello Christian,
Am 29.01.2014 13:18, schrieb Christian Vielhauer:
> Before upgrade i was able to to wbinfo -u and get all users.
> In ps ax were some samba -D processes….
> Now after upgrade i was able to start using init script by „start samba“ but just one samba -D process is running and two smbd processes "/usr/local/samba/sbin/smbd --option=server role check:inhibit=yes —foreground“ .
My guess is, you hit this security fix:
http://www.samba.org/samba/history/samba-4.0.11.html
CVE-2013-4476:
In setups which provide ldap(s) and/or https services, the private
key for SSL/TLS encryption might be world readable. This typically
happens in active directory domain controller setups.
Check your Samba logs for (this will appear in your log.%m, if you hit
this):
[2014/01/29 20:19:14.836873, 0, pid=4311]
../lib/util/util.c:161(file_check_permissions)
invalid permissions on file '/usr/local/samba/private/tls/key.pem':
has 0644 should be 0600
[2014/01/29 20:19:14.843206, 0, pid=4311]
../source4/lib/tls/tls_tstream.c:1125(tstream_tls_params_server)
Invalid permissions on TLS private key file
'/usr/local/samba/private/tls/key.pem':
owner uid 0 should be 0, mode 0644 should be 0600
This is known as CVE-2013-4476.
Removing all tls .pem files will cause an auto-regeneration with the
correct permissions.
And to fix it, simply set the mode of your key.pem to 600 and restart Samba.
Regards,
Marc
More information about the samba-technical
mailing list