Samba4 broken since Upgrade 4.0.6 to 4.0.14

Christian Vielhauer c.vielhauer at me.com
Wed Jan 29 15:28:42 MST 2014 

Wow thanks for using the magic crystal ball :-)

I increase the log level more and more and the output get more unreadable. 

With no log level option it appears directly in log %m. But it looks very harmless because it doesn't start with warning or error. 

Because it looks like a change from older to latest version you can add a Note after make install ...successfully, or interactively remove/rename these files when they are wrong ;-) 

Just an idea 

A lot of thanks 
Regards Chris

> Am 29.01.2014 um 21:40 schrieb Marc Muehlfeld <samba at marc-muehlfeld.de>:
> 
> Am 29.01.2014 20:36, schrieb Andrew Bartlett:
>>> Check your Samba logs for (this will appear in your log.%m, if you hit
>>> this):
>>> [2014/01/29 20:19:14.836873,  0, pid=4311]
>>> ../lib/util/util.c:161(file_check_permissions)
>>>    invalid permissions on file '/usr/local/samba/private/tls/key.pem':
>>> has 0644 should be 0600
>>> [2014/01/29 20:19:14.843206,  0, pid=4311]
>>> ../source4/lib/tls/tls_tstream.c:1125(tstream_tls_params_server)
>>>    Invalid permissions on TLS private key file
>>> '/usr/local/samba/private/tls/key.pem':
>>>    owner uid 0 should be 0, mode 0644 should be 0600
>>>    This is known as CVE-2013-4476.
>>>    Removing all tls .pem files will cause an auto-regeneration with the
>>> correct permissions.
>>> 
>>> 
>>> And to fix it, simply set the mode of your key.pem to 600 and restart Samba.
>> 
>> NO.  NO.  NO.  To fix it, read the message above, that's why we printed
>> it.  Remove the .pem files and let Samba re-generate them, as they have
>> been exposed!
> 
> 
> Yes, you are right. Sorry.
> 
> 
> I'd misinterpreted the message that I had the choice:
>  Option 1: Change the mode to 600.
>  Option 2: Let the files re-create with correct permissions.
> 
> 
> Maybe the message could be bit more explicit, like:
> > It it highly recommended to remove all tls .pem files, as they have
> > been exposed! This will cause an auto-regeneration with the correct
> > permissions.
> 
> 
> This could prevent misinterpretation.
> 
> 
> 
> Regards,
> Marc
> 
> 
>

More information about the samba-technical mailing list