Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593486 - <net-fs/samba-4.3 is EOL
Summary: <net-fs/samba-4.3 is EOL
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-11 10:06 UTC by Daniel Klaffenbach
Modified: 2017-10-05 17:14 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Klaffenbach 2016-09-11 10:06:16 UTC
On amd64 the two stable Samba versions are 3.6.x and 4.2.x. Both versions are end of life (see: https://wiki.samba.org/index.php/Samba_Release_Planning), which leaves users with possible security issues.

All currently supported (upstream) stable versions are *hard masked*. Please remove the hard mask from the newer versions. The mask should be applied however to older releases, as they do not receive any security support any more.
Comment 1 Torsten Kurbad 2016-09-11 12:09:42 UTC
With Samba 4.5.0 just having been finalized, I absolutely agree to Daniel that we need the newer versions unmasked (and workable).

I know that the reason is the - still not unbundled - Heimdal release the newer Samba releases use.

But since there's been no new heimdal standalone release since 2012, can we probably step away from Gentoo's 'system libs only' policy for this bit?

Thanks,
Torsten
Comment 2 Tomáš Mózes 2016-09-12 04:46:51 UTC
The most you can do is to test the newer packages and provide feedback on them. Just unmasking them will not solve the problem as it probably means that more testing is needed.

Please go ahead, unmask them, test and report back. The more successful stories, the higher chance to stabilize.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-12 09:27:52 UTC
You can get security issues addressed by addressing the Security Team.
Comment 4 Torsten Kurbad 2016-09-13 15:11:32 UTC
(In reply to Tomáš Mózes from comment #2)
> Please go ahead, unmask them, test and report back. The more successful
> stories, the higher chance to stabilize.

Tomáš, there can't be success here. The masked ebuilds just won't work because no new enough version of Heimdal has been released/is in portage to accomodate certain features for Samba >=4.3.0. There are experimental Heimdal ebuilds in some overlays, but I'm feeling uncomfortable with the thought of having an unstable kerberos implementation at the heart of my system.

At the bottom line, in my opinion the options are:

a) Wait another X months/years until Heimdal 1.6 officially left RC state and can be used without concern on a production system.

b) Use the latest release candidate or even git build of Heimdal just to satisfy Samba, while potentially opening security holes and/or incompatibilities to other kerberized software in the system.

c) (My preferred one): Change the >=net-fs/samba-4.3.0 ebuilds to use the Heimdal that comes bundled with Samba just for samba, while leaving the system Heimdal as it is. Only AFTER this rewrite invite testers and in case of success stories unmask the >=net-fs/samba-4.3.0 ebuilds and mark them with ~* keywords for the archs where success has been reported.

Just my 2 cents,
Torsten
Comment 5 Ian Stakenvicius (RETIRED) gentoo-dev 2016-09-13 15:23:27 UTC
(In reply to Torsten Kurbad from comment #4)
> a) Wait another X months/years until Heimdal 1.6 officially left RC state
> and can be used without concern on a production system.
> 
> b) Use the latest release candidate or even git build of Heimdal just to
> satisfy Samba, while potentially opening security holes and/or
> incompatibilities to other kerberized software in the system.
> 
> c) (My preferred one): Change the >=net-fs/samba-4.3.0 ebuilds to use the
> Heimdal that comes bundled with Samba just for samba, while leaving the
> system Heimdal as it is. Only AFTER this rewrite invite testers and in case
> of success stories unmask the >=net-fs/samba-4.3.0 ebuilds and mark them
> with ~* keywords for the archs where success has been reported.


d) drop heimdal support for mit-krb5 in production -- is that a possibility here?  I don't like removing choice, especially since heimdal is iirc the upstream preferred choice, but if it's the only one that works....
Comment 6 Torsten Kurbad 2016-09-13 15:33:48 UTC
(In reply to Ian Stakenvicius from comment #5)

> d) drop heimdal support for mit-krb5 in production -- is that a possibility
> here?  I don't like removing choice, especially since heimdal is iirc the
> upstream preferred choice, but if it's the only one that works....

Correct me if I'm wrong, but doesn't this only work in case you don't want Samba to act as an Active Directory controller. The AD server code still demands Heimdal (to my knowledge).

On a side note, I'd be fine with dropping Heimdal since I don't need the AD stuff. But I could imagine some users wouldn't be so happy with that choice.
Comment 7 Austin S. Hemmelgarn 2016-10-05 14:20:04 UTC
Yes, AD support does require Heimdal, although it's not like it works correctly and reliably in Samba 4.2 on Gentoo right now anyway without quite a large number of workarounds.

Regardless, this needs to get properly resolved somehow, and I'm personally infavor of option C.  The fact that the only way to get a current version of such a widely used piece of core-infrastructure software on Gentoo is to manually build it locally is not good for multiple reasons.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2016-10-07 08:17:04 UTC
*** Bug 596418 has been marked as a duplicate of this bug. ***
Comment 9 Austin S. Hemmelgarn 2016-12-20 18:29:55 UTC
For anyone who's interested, I've got an ebuild for net-fs/samba-4.5.2 in my overlay at https://github.com/Ferroin/ahferroin7-overlay that uses the bundled version of heimdal and removes the system-mitkrb5 USE flag (because I'm way too lazy to figure out why trying to build with that is failing on my systems).  I've not been able to do much testing yet, but it builds fine on 64-bit x86, and doesn't break any other packages.  The build takes longer, and the package size went up some, but other than that things seem pretty much fine.  What limited testing I've done (standalone (no domain) client stuff only) seems to indicate things are working.
Comment 10 Stefan G. Weichinger 2017-01-04 23:01:44 UTC
could I get some status message here?

I have to decide asap if to migrate to samba-based AD on gentoo servers here and the fact that 4.2.x is still *unstable* in gentoo while it is EOL upstream makes me feel scared a bit :-)
Comment 11 Thomas Deutschmann gentoo-dev Security 2017-01-05 01:15:38 UTC
(In reply to Stefan G. Weichinger from comment #10)
> could I get some status message here?
> 
> I have to decide asap if to migrate to samba-based AD on gentoo servers here
> and the fact that 4.2.x is still *unstable* in gentoo while it is EOL
> upstream makes me feel scared a bit :-)

4.2.x is marked stable on Gentoo.

Regarding 4.3.x: See https://bugs.gentoo.org/show_bug.cgi?id=588262#c3 ... help/patches appreciated.
Comment 12 Stefan G. Weichinger 2017-01-05 09:48:29 UTC
4.2.11 stable, 4.2.14 unstable .. I meant "some sub-release of 4.2 still unstable". Anyway. Upstream released 4.6-rcX already.

I pointed the samba-ml to the mentioned bug report, maybe gentoo could get useful upstream support from the samba team?
Comment 13 Stefan G. Weichinger 2017-01-05 10:02:07 UTC
Andrew Bartlett from the Samba team replied:

"In Debian we re-bundled heimdal.  Samba is only known to work and is
only tested with the bundled copy.  The semi-private interfaces we use
with the KDC have skewed and we rely on specific patches to be applied
on the Heimdal side.

The work to have Heimdal updated in Samba, so we can then port out the
last few patches and unbundle it remains uncompleted.  The port to MIT
kerberos is ongoing, but also not complete."

So the way to go right now seems (c) use the bundled version.

See

https://lists.samba.org/archive/samba/2017-January/205738.html

fo reference and followups at samba-ml.
Comment 14 Andrea Bartoli 2017-01-13 11:15:30 UTC
Unmasked 4.5.3. No issue at the moment.
Issues I have with stable samba4* versions.

(smb occupy all cpu when unsuccessfully trying to print)
Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 17:14:01 UTC
New versions from samba are stable in the tree and other security bugs are being handled on their respective reports.

Gentoo Security Padawan
ChrisADR