Samba4 broken since Upgrade 4.0.6 to 4.0.14

Andrew Bartlett abartlet at samba.org
Wed Jan 29 12:36:59 MST 2014


On Wed, 2014-01-29 at 20:24 +0100, Marc Muehlfeld wrote:
> Hello Christian,
> 
> Am 29.01.2014 13:18, schrieb Christian Vielhauer:
> > Before upgrade i was able to to wbinfo -u and get all users.
> > In ps ax were some samba -D processes….
> > Now after upgrade i was able to start using init script by „start samba“ but just one samba -D process is running and two smbd processes "/usr/local/samba/sbin/smbd --option=server role check:inhibit=yes —foreground“ .
> 
> My guess is, you hit this security fix:
> http://www.samba.org/samba/history/samba-4.0.11.html
> 
> CVE-2013-4476:
>     In setups which provide ldap(s) and/or https services, the private
>     key for SSL/TLS encryption might be world readable. This typically
>     happens in active directory domain controller setups.
> 
> 
> 
> 
> Check your Samba logs for (this will appear in your log.%m, if you hit 
> this):
> [2014/01/29 20:19:14.836873,  0, pid=4311] 
> ../lib/util/util.c:161(file_check_permissions)
>    invalid permissions on file '/usr/local/samba/private/tls/key.pem': 
> has 0644 should be 0600
> [2014/01/29 20:19:14.843206,  0, pid=4311] 
> ../source4/lib/tls/tls_tstream.c:1125(tstream_tls_params_server)
>    Invalid permissions on TLS private key file 
> '/usr/local/samba/private/tls/key.pem':
>    owner uid 0 should be 0, mode 0644 should be 0600
>    This is known as CVE-2013-4476.
>    Removing all tls .pem files will cause an auto-regeneration with the 
> correct permissions.
> 
> 
> And to fix it, simply set the mode of your key.pem to 600 and restart Samba.

NO.  NO.  NO.  To fix it, read the message above, that's why we printed
it.  Remove the .pem files and let Samba re-generate them, as they have
been exposed!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list