[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
Arnaud FLORENT
aflorent at iris-tech.fr
Wed Apr 29 15:16:59 UTC 2020
the fixed version has been released by ubuntu
Le 29/04/2020 à 11:41, Andrew Bartlett via samba a écrit :
> On Wed, 2020-04-29 at 21:10 +1200, Andrew Bartlett via samba wrote:
>> On Wed, 2020-04-29 at 08:57 +0100, Rowland penny via samba wrote:
>>> On 29/04/2020 08:26, Lorenzo Milesi via samba wrote:
>>>> Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke external LDAP auth probably with the following error:
>>>>
>>>> LDAP request size (81) exceeds (0)
>>>>
>>>> samba-tool outputs the following when ran:
>>>>
>>>> Unknown parameter encountered: "ldap max anonymous request size"
>>>> Ignoring unknown parameter "ldap max anonymous request size"
>>>> Unknown parameter encountered: "ldap max authenticated request size"
>>>> Ignoring unknown parameter "ldap max authenticated request size"
>>>> Unknown parameter encountered: "ldap max search request size"
>>>> Ignoring unknown parameter "ldap max search request size"
>>>>
>>>> These params aren't defined anywhere, and even if placed in smb.conf the error won't change.
>>>>
>>>> Any workaround for this old version?
>>>>
>>>> thanks
>>>>
>>>>
>>>> https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog
>>>>
>>> If you are having problems with this on 4.3.11, then you need to raise a
>>> bug report to Ubuntu.
>>>
>>> Samba has provided patches for 4.10, 4.11 and 4.12, Ubuntu must have
>>> backported these to 4.3.11
>> Rowland is correct here.
>>
>> From the description this looks like an untested backport.
> In their defence, since 10374dde0f9d2e13496198b90c0c6e592bfef86c in
> Samba 4.4, smb.conf generation has been entirely automated, but for
> Samba 4.3 the param_table in lib/param/param_table.c still needed to be
> filled in.
>
> So it would not have been obvious that the patch wasn't complete.
>
> I've CC'ed the Marc as the Ubuntu developer in the changelog.
>
> Andrew Bartlett
--
Arnaud FLORENT
IRIS Technologies
More information about the samba
mailing list