1.182. samba

Updated samba packages that fix credentials file handling for mount.cifs are now available for Red Hat Enterprise Linux 5.

Samba is a suite of programs used by machines to share files, printers, and other information.

The kernel CIFS client mount helper binary (mount.cifs) uses details stored in a credentials file to authenticate with file servers. After a recent security update, mount.cifs no longer parsed credentials files correctly, and included trailing newlines in the authentication information. Attempts to authenticate would therefore fail with errors such as NT_STATUS_LOGON_FAILURE. The parsing code is now corrected and no longer includes the newline as part of the authentication details. Mount.cifs can therefore use credentials files to authenticate with file servers successfully.

Users of Samba should upgrade to these updated packages, which contain backported patches to correct this issue.

Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Samba is a suite of programs used by machines to share files, printers, and other information.

A denial of service flaw was found in the Samba smbd daemon. An authenticated, remote user could send a specially-crafted response that would cause an smbd child process to enter an infinite loop. An authenticated, remote user could use this flaw to exhaust system resources by opening multiple CIFS sessions. (CVE-2009-2906)

An uninitialized data access flaw was discovered in the smbd daemon when using the non-default "dos filemode" configuration option in "smb.conf". An authenticated, remote user with write access to a file could possibly use this flaw to change an access control list for that file, even when such access should have been denied. (CVE-2009-1888)

A flaw was discovered in the way Samba handled users without a home directory set in the back-end password database (e.g. "/etc/passwd"). If a share for the home directory of such a user was created (e.g. using the automated "[homes]" share), any user able to access that share could see the whole file system, possibly bypassing intended access restrictions. (CVE-2009-2813)

The mount.cifs program printed CIFS passwords as part of its debug output when running in verbose mode. When mount.cifs had the setuid bit set, a local, unprivileged user could use this flaw to disclose passwords from a file that would otherwise be inaccessible to that user. Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. This flaw only affected systems where the setuid bit was manually set by an administrator. (CVE-2009-2948)

Users of Samba should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.

Updated samba packages that contain various bugfixes are now available.

Samba is a suite of programs used by machines to share files, printers, and other information.

This package addresses the following bugs:

* previously, the man pages and usage messages for rpcclient, smbcacls, samba-client, smbget, smbtree, and pdbedit contained errors, omissions, and outdated information. Users could not therefore rely on the provided documentation to use these programs. The documentation for each of these components has been reviewed and corrected and no longer contains misleading information. (BZ#457082,

BZ#457096, BZ#457097, BZ#457192, BZ#457195, BZ#457203, BZ#457384,

BZ#457385)

* Samba stores its own Kerberos configuration in /var/cache/samba/smb_krb5. Previously, although the "net ads join" command used this configuration and was able to join an Active Directory, "net ads testjoin" and "net ads leave" ignored the samba- specific file and tried to use the configuration in /etc/krb5.conf instead. These commands would therefore fail when authentication through Kerberos was needed. "net ads testjoin" and "net ads leave" now use /var/cache/samba/smb_krb5 and therefore work with authenticated Active Directory resources. (BZ#509170)

* cifs.upcall performs certain CIFS-related tasks for the kernel in user space. The version of cifs.upcall included with previous versions of Samba could not provide the kernel with the credentials cache path stored in the KRB5CCNAME environment variable. Attempts to mount CIFS shares through fstab as a normal user would therefore fail. The version of cifs.upcall included with Red Hat Enterprise Linux 5.5 can now provide the kernel with the credentials cache path, and CIFS shares can therefore be mounted for normal users. (BZ#517195)

* previously, when handling a POSIX open call, Samba did not account for the SMB_O_CREAT, SMB_O_EXCL, or SMB_O_TRUNC flags. As a result, Samba would respond with STATUS_INVALID_PARAMETER to any of these flags instead of honoring the call. Samba now recognizes these flags and honors POSIX open calls that use them. (BZ#522866)

* when setting the "allow trusted domain = no" parameter on a Samba server it would not have any effect on the configuration and Samba would still attempt to contact trusted domains. By refreshing the trusted domain cache only if the parameter "allow trusted domain = yes" is set, Samba no longer attempts to contact trusted domains when "allow trusted domain = no". (BZ#526065)

* mount.cifs would fail to correctly authenticate when a credentials file was used. As a result, any mount operation that used a credentials file would fail. By correcting the newlines during the parsing routines during mounting the issue has been fixed. mount.cifs now works correctly when authenticating with a credentials file. (BZ#532153)

* mounting and unmounting a CIFS filesystem quickly would eventually lead to the CIFS mounts becoming unmountable. The issue has been corrected by linking mtab.o to the building of mount.cifs and unmount.cifs. CIFS mounts no longer become unmountable when performing quick mounting and unmounting of the filesystem. (BZ#533912)

* kdebase conflicted with Samba 3. Samba 2 components libsmbclient and libsmbclient-devel are now available as independent rpms and can be installed alongside Samba 3. By separating out these packages it allows for kdebase to reference its dependencies independent of a Samba installation, correcting the conflict. (BZ#555654)

Users of Samba should upgrade to these updated packages, which resolve these issues.