- A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session.
- It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user.
- It was found that the fix for CVE-2010-0547, provided by the Samba rebase in RHBA-2011:0054, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially-crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set.
- It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs.
Notemount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs.
- If plain text passwords were used by setting
encrypt passwords = noin
/etc/samba/smb.conf, Samba clients running on the Windows XP or Windows Server 2003 operating system may not have been able to access Samba shares after installing Microsoft Security Bulletin MS11-043. This update corrects this bug, allowing such clients to use plain-text passwords to access Samba shares.
- Samba failed to verify Kerberos authentication of an SMB Session Setup from a Windows Vista or Windows Server 2008 Common Internet File System(CIFS) client when the Kerberos ticket size was greater than 16 KB. Consequently, if the connecting account was a member of more than 500 security groups, and the domain was configured to create tickets greater than 12Kb, authentication failed. The following error message was logged:
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!An upstream patch has been applied and Samba can now use Kerberos authentication for Windows Vista or Windows Server 2008 CIFS clients in the scenario described.
- Previously, in certain environments with many users, the pam_winbind module stopped operating. As a result, failures occurred when users attempted to log in. With this update, the bug has been fixed so that pam_winbind now works as expected in the scenario described.
- The group ID (GID) of
ServerName\Nonewas incremented every time the Identity Mapping (IDMAP) cache expired. Given enough time the GID would eventually reach the top of the range specified by the
idmap giddirective in the
smb.conffile. Consequently, new allocation of GIDs would not be possible and a group would no longer resolve properly. This update includes an upstream fix and the cache expiry no longer causes GIDs to increment.
- The Name Service Switch daemon
winbindproduces excessive debug output messages when attempting to register an already-registered IDMAP module. Previously, the messages were set to debug level
0. Consequently, the messages could not be filtered by lowering the
log levelparameter in
smb.conf. With this update, a patch has been applied to increase the debug level of the messages to
5. As a result, the debug messages can now be filtered by setting the
- If Linux clients used the CIFS client in the kernel to mount a Samba share, the
force create modeparameter was not honored properly. As a result, files created on a mounted Samba share did not properly follow the
umaskparameter, and files with undesired permissions were created. With this update, the bug has been fixed and files are now created with the correct permissions.
- Due to a regression in Samba, Windows Internet Explorer 9 running on Windows 7 could not download files to a Samba share. Consequently, some Windows 7 users could not make use of Samba shares. This update includes upstream improvements to Samba to address this bug. As a result, Windows 7 users can now save files on Samba shares using Internet Explorer 9.
- Previously, the man pages for certain Samba components did not document that primary group membership is not calculated based on the
gidNumberLDAP attribute if Windows Services for UNIX (SFU) are enabled, or if the standard RFC 2307 LDAP attributes in the Active Directory (AD) are used. Instead, Winbind uses the
primaryGroupIDLDAP attribute. With this update, the man pages have been updated accordingly to reflect the aforementioned limitation.
- Previously, extracting files from a ZIP archive failed on the Distributed File System (DFS) shares if the following
symlinks = yesparameter was not set. This bug has been fixed in this update so that extracting files from a ZIP archive now works as expected.
- If winbind was joined to the domain with
idmap_adspecified as the backend, enumerating users was enabled, and most of the users had UIDs, then when calling
getent passwdfor a user who had no UID, the enumeration stopped and the following error was displayed:
NT_STATUS_NONE_MAPPEDThis update implements an upstream patch to correct the problem. As a result, if a user cannot be mapped, winbind no longer stops but continues enumerating users in the scenario described.
- Previously, the winbindd-locator tool could not correctly find a Domain Controller (DC) using Samba and DNS SRV records when outside the networks that are known to AD and are mapped to AD sites. Consequently, when a host was a member of a Windows Server 2008 R2 domain, and the host was in a network that was not mapped to any known site of the AD, the host could not locate a DC and an error message in the following format was logged:
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COMWith this update a patch has been applied and winbindd-locator can now locate a DC in the scenario described.
- The smbclient tool sometimes failed to return the expected exit status code; it returned
1. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status.
- Previously, the Winbind IDMAP interface cache did not expire as specified in the
smb.conffile. Consequently, the positive and negative entries in the cache would not expire until the opposite type of query was made. This update contains a backported fix for the problem. As a result, the
idmap cache timeand
idmap negative cache timedirectives now work as expected.
- Previously, the net(8) man page did not document the
-koption for using Kerberos authentication. Consequently, users were not aware how to use Kerberos authentication with the net utility. This update adds the missing documentation to the man page.