On amd64 the two stable Samba versions are 3.6.x and 4.2.x. Both versions are end of life (see: https://wiki.samba.org/index.php/Samba_Release_Planning), which leaves users with possible security issues.
All currently supported (upstream) stable versions are *hard masked*. Please remove the hard mask from the newer versions. The mask should be applied however to older releases, as they do not receive any security support any more.
With Samba 4.5.0 just having been finalized, I absolutely agree to Daniel that we need the newer versions unmasked (and workable).
I know that the reason is the - still not unbundled - Heimdal release the newer Samba releases use.
But since there's been no new heimdal standalone release since 2012, can we probably step away from Gentoo's 'system libs only' policy for this bit?
The most you can do is to test the newer packages and provide feedback on them. Just unmasking them will not solve the problem as it probably means that more testing is needed.
Please go ahead, unmask them, test and report back. The more successful stories, the higher chance to stabilize.
You can get security issues addressed by addressing the Security Team.
(In reply to Tomáš Mózes from comment #2)
> Please go ahead, unmask them, test and report back. The more successful
> stories, the higher chance to stabilize.
Tomáš, there can't be success here. The masked ebuilds just won't work because no new enough version of Heimdal has been released/is in portage to accomodate certain features for Samba >=4.3.0. There are experimental Heimdal ebuilds in some overlays, but I'm feeling uncomfortable with the thought of having an unstable kerberos implementation at the heart of my system.
At the bottom line, in my opinion the options are:
a) Wait another X months/years until Heimdal 1.6 officially left RC state and can be used without concern on a production system.
b) Use the latest release candidate or even git build of Heimdal just to satisfy Samba, while potentially opening security holes and/or incompatibilities to other kerberized software in the system.
c) (My preferred one): Change the >=net-fs/samba-4.3.0 ebuilds to use the Heimdal that comes bundled with Samba just for samba, while leaving the system Heimdal as it is. Only AFTER this rewrite invite testers and in case of success stories unmask the >=net-fs/samba-4.3.0 ebuilds and mark them with ~* keywords for the archs where success has been reported.
Just my 2 cents,
(In reply to Torsten Kurbad from comment #4)
> a) Wait another X months/years until Heimdal 1.6 officially left RC state
> and can be used without concern on a production system.
> b) Use the latest release candidate or even git build of Heimdal just to
> satisfy Samba, while potentially opening security holes and/or
> incompatibilities to other kerberized software in the system.
> c) (My preferred one): Change the >=net-fs/samba-4.3.0 ebuilds to use the
> Heimdal that comes bundled with Samba just for samba, while leaving the
> system Heimdal as it is. Only AFTER this rewrite invite testers and in case
> of success stories unmask the >=net-fs/samba-4.3.0 ebuilds and mark them
> with ~* keywords for the archs where success has been reported.
d) drop heimdal support for mit-krb5 in production -- is that a possibility here? I don't like removing choice, especially since heimdal is iirc the upstream preferred choice, but if it's the only one that works....
(In reply to Ian Stakenvicius from comment #5)
> d) drop heimdal support for mit-krb5 in production -- is that a possibility
> here? I don't like removing choice, especially since heimdal is iirc the
> upstream preferred choice, but if it's the only one that works....
Correct me if I'm wrong, but doesn't this only work in case you don't want Samba to act as an Active Directory controller. The AD server code still demands Heimdal (to my knowledge).
On a side note, I'd be fine with dropping Heimdal since I don't need the AD stuff. But I could imagine some users wouldn't be so happy with that choice.
Yes, AD support does require Heimdal, although it's not like it works correctly and reliably in Samba 4.2 on Gentoo right now anyway without quite a large number of workarounds.
Regardless, this needs to get properly resolved somehow, and I'm personally infavor of option C. The fact that the only way to get a current version of such a widely used piece of core-infrastructure software on Gentoo is to manually build it locally is not good for multiple reasons.
*** Bug 596418 has been marked as a duplicate of this bug. ***
For anyone who's interested, I've got an ebuild for net-fs/samba-4.5.2 in my overlay at https://github.com/Ferroin/ahferroin7-overlay that uses the bundled version of heimdal and removes the system-mitkrb5 USE flag (because I'm way too lazy to figure out why trying to build with that is failing on my systems). I've not been able to do much testing yet, but it builds fine on 64-bit x86, and doesn't break any other packages. The build takes longer, and the package size went up some, but other than that things seem pretty much fine. What limited testing I've done (standalone (no domain) client stuff only) seems to indicate things are working.
could I get some status message here?
I have to decide asap if to migrate to samba-based AD on gentoo servers here and the fact that 4.2.x is still *unstable* in gentoo while it is EOL upstream makes me feel scared a bit :-)
(In reply to Stefan G. Weichinger from comment #10)
> could I get some status message here?
> I have to decide asap if to migrate to samba-based AD on gentoo servers here
> and the fact that 4.2.x is still *unstable* in gentoo while it is EOL
> upstream makes me feel scared a bit :-)
4.2.x is marked stable on Gentoo.
Regarding 4.3.x: See https://bugs.gentoo.org/show_bug.cgi?id=588262#c3 ... help/patches appreciated.
4.2.11 stable, 4.2.14 unstable .. I meant "some sub-release of 4.2 still unstable". Anyway. Upstream released 4.6-rcX already.
I pointed the samba-ml to the mentioned bug report, maybe gentoo could get useful upstream support from the samba team?
Andrew Bartlett from the Samba team replied:
"In Debian we re-bundled heimdal. Samba is only known to work and is
only tested with the bundled copy. The semi-private interfaces we use
with the KDC have skewed and we rely on specific patches to be applied
on the Heimdal side.
The work to have Heimdal updated in Samba, so we can then port out the
last few patches and unbundle it remains uncompleted. The port to MIT
kerberos is ongoing, but also not complete."
So the way to go right now seems (c) use the bundled version.
fo reference and followups at samba-ml.
Unmasked 4.5.3. No issue at the moment.
Issues I have with stable samba4* versions.
(smb occupy all cpu when unsuccessfully trying to print)
New versions from samba are stable in the tree and other security bugs are being handled on their respective reports.
Gentoo Security Padawan