[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)

Andrew Bartlett abartlet at samba.org
Wed Apr 29 09:41:49 UTC 2020


On Wed, 2020-04-29 at 21:10 +1200, Andrew Bartlett via samba wrote:
> On Wed, 2020-04-29 at 08:57 +0100, Rowland penny via samba wrote:
> > On 29/04/2020 08:26, Lorenzo Milesi via samba wrote:
> > > Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke external LDAP auth probably with the following error:
> > > 
> > > LDAP request size (81) exceeds (0)
> > > 
> > > samba-tool outputs the following when ran:
> > > 
> > > Unknown parameter encountered: "ldap max anonymous request size"
> > > Ignoring unknown parameter "ldap max anonymous request size"
> > > Unknown parameter encountered: "ldap max authenticated request size"
> > > Ignoring unknown parameter "ldap max authenticated request size"
> > > Unknown parameter encountered: "ldap max search request size"
> > > Ignoring unknown parameter "ldap max search request size"
> > > 
> > > These params aren't defined anywhere, and even if placed in smb.conf the error won't change.
> > > 
> > > Any workaround for this old version?
> > > 
> > > thanks
> > > 
> > > 
> > > https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog
> > > 
> > If you are having problems with this on 4.3.11, then you need to raise a 
> > bug report to Ubuntu.
> > 
> > Samba has provided patches for 4.10, 4.11 and 4.12, Ubuntu must have 
> > backported these to 4.3.11
> 
> Rowland is correct here.  
> 
> From the description this looks like an untested backport.

In their defence, since 10374dde0f9d2e13496198b90c0c6e592bfef86c in
Samba 4.4, smb.conf generation has been entirely automated, but for
Samba 4.3 the param_table in lib/param/param_table.c still needed to be
filled in.

So it would not have been obvious that the patch wasn't complete.

I've CC'ed the Marc as the Ubuntu developer in the changelog. 

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba





More information about the samba mailing list