Samba4 update

Rowland Penny repenny241155 at gmail.com
Sun Mar 2 06:01:33 MST 2014 

On 02/03/14 11:03, Zbigniew Góra wrote:
> Hello everyone,
>
> My colleges notice the problem with Samba4 update.
>
>  From 4.0.9 to 4.1.0 --> working
> from 4.0.9 to 4.1.5 --> not working
> from 4.1.0 --> 4.1.4 --> not working
> from 4.1.4 --> 4.1.5 --> working.
>
> There is the log 4.0.9 to 4.1.5:
>
> [2014/03/01 09:48:31.459388,  0]
> ../source4/smbd/server.c:370(binary_smbd_main)
>    samba version 4.1.5 started.
>    Copyright Andrew Tridgell and the Samba Team 1992-2013
> [2014/03/01 09:48:31.709838,  0]
> ../source4/smbd/server.c:492(binary_smbd_main)
>    samba: using 'standard' process model
> [2014/03/01 09:48:31.754685,  0]
> ../lib/util/util.c:161(file_check_permissions)
>    invalid permissions on file '/usr/local/samba/private/tls/key.pem': has
> 0644 should be 0600
> [2014/03/01 09:48:31.770875,  0]
> ../source4/lib/tls/tls_tstream.c:1125(tstream_tls_params_server)
>    Invalid permissions on TLS private key file
> '/usr/local/samba/private/tls/key.pem':
>    owner uid 0 should be 0, mode 0644 should be 0600
>    This is known as CVE-2013-4476.
>    Removing all tls .pem files will cause an auto-regeneration with the
> correct permissions.
> [2014/03/01 09:48:31.771416,  0]
> ../source4/ldap_server/ldap_server.c:940(ldapsrv_task_init)
>    ldapsrv failed tstream_tls_params_server -
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> [2014/03/01 09:48:31.771626,  0]
> ../source4/smbd/service_task.c:35(task_server_terminate)
>    task_server_terminate: [Failed to startup ldap server task]
> [2014/03/01 09:48:31.797471,  0]
> ../source4/smbd/server.c:211(samba_terminate)
>    samba_terminate: Failed to startup ldap server task
>
> Could you say something about this?
>
> Regards,
> ___________
> Zbyszek Góra
Hi, if you read what YOU posted, it actually says it all, removing the 
cruft leaves:

   invalid permissions on file '/usr/local/samba/private/tls/key.pem': 
has 0644 should be 0600
   Invalid permissions on TLS private key file 
'/usr/local/samba/private/tls/key.pem': owner uid 0 should be 0, mode 
0644 should be 0600
   This is known as CVE-2013-4476.
   Removing all tls .pem files will cause an auto-regeneration with the 
correct permissions.

So, do what it says, delete /usr/local/samba/private/tls/key.pem and try 
again.

Rowland

More information about the samba-technical mailing list