RHBA-2011:0242 - Bug Fix Advisory

Topic

Updated samba packages that fix several bugs and add an enhancement are now
available.

Description

Samba is a suite of programs used by machines to share files, printers, and
other information.

These updated samba packages provide fixes for the following bugs:

• Using a share name 24 to 32 characters long caused a string overflow.

Share names are now permitted to be up to 32 characters long and string
overflows no longer occur. (BZ#159019)

• Providing a join user from one Kerberos realm/Active Directory domain, while

attempting to join the Samba server to a different Kerberos realm/Active
Directory domain using Samba's 'net' utility failed. This was caused by a faulty
reading of the system global "/etc/krb5.conf" file. Instead of the
"/etc/krb5.conf" file being read, the 'net' utility read a local private
krb5.conf.[Active Directory realm] file. The 'net' utility now properly reads
the global "/etc/krb5.conf" file. (BZ#467775)

• A Samba server had no way of knowing that an operation performed by the kernel

CIFS client was in fact a file creation. As a result, the "force create mode"
(which sets permissions of a file during its creation) was never initiated and
appeared to be broken. The file creation was handled by a POSIX open call and to
Samba the file creation then appeared as a simple 'chmod' operation. By using
the POSIX open call in the samba client, the server can now properly recognize
the file creation and apply the "force create mode".

Note: This issue was fixed on the server part of Red Hat Enterprise Linux 4,
however, this issue remains broken on the client part. Therefore, the "force
create mode" works properly on Red Hat Enterprise Linux 4 systems with newer
clients (for example, Red Hat Enterprise Linux 5). (BZ#493962)

• The 'restorecon' utility was required during the installation of the

samba-common package. As a result, attempting to update samba without this
utility installed may have failed with the following error message:

/var/tmp/rpm-tmp.89611: line 7: restorecon: command not found

The utility is now used when it is already present in the system only, and the
package is now always updated as expected. (BZ#518785)

• Due to faulty parsing routines, an attempt to mount a CIFS (Common Internet

File System) share with credentials files specified failed. The parsing routines
were fixed and mounting CIFS shares works as expected. (BZ#532094)

• Setting the "allow trusted domain = no" parameter on a Samba server would not

have any effect on the configuration and Samba would still attempt to contact
trusted domains. By refreshing the trusted domain cache only if the parameter
"allow trusted domain = yes" is set, Samba no longer attempts to contact trusted
domains when "allow trusted domain = no" is set. (BZ#559609)

• Mounting and unmounting a CIFS file system too quickly would eventually lead

to the CIFS mounts becoming unmountable. The issue has been corrected by linking
mtab.o to the building of mount.cifs and unmount.cifs. CIFS mounts no longer
become unmountable when performing quick mounting and unmounting of the file
system. (BZ#562836)

• Upgrading domain controllers to Windows Server 2008 R2 caused the Samba

servers, running Red Hat Enterprise Linux 4, to fail to authenticate any Active
Directory domain users. This was caused by Samba's strict expectations on
certain buffer lengths which made the "NETLOGON" secure channel fail. This could
occur when the 'winbind' daemon or the 'smbd' daemon contacted a Windows Server
2008 R2 domain controller. The failure of the secure channel caused the failure
of the whole authentication process. Samba now correctly deals with larger
buffers and the authentication process no longer fails. (BZ#585360)

In addition, these updated samba packages provide the following enhancement:

• This update introduces a 'configtest' parameter for the SMB service which can

detect certain errors in the "/etc/samba/smb.conf" configuration file.
(BZ#157602)

Users are advised to upgrade to these updated samba packages, which resolve
these issues and add this enhancement.

Solution

Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use the Red Hat
Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 4 x86_64
• Red Hat Enterprise Linux Server 4 ia64
• Red Hat Enterprise Linux Server 4 i386
• Red Hat Enterprise Linux Workstation 4 x86_64
• Red Hat Enterprise Linux Workstation 4 ia64
• Red Hat Enterprise Linux Workstation 4 i386
• Red Hat Enterprise Linux Desktop 4 x86_64
• Red Hat Enterprise Linux Desktop 4 i386
• Red Hat Enterprise Linux for IBM z Systems 4 s390x
• Red Hat Enterprise Linux for IBM z Systems 4 s390
• Red Hat Enterprise Linux for Power, big endian 4 ppc

Fixes

• BZ - 157602 - A 'configtest' parameter for the smb service (attached).
• BZ - 159019 - Share names over 32 characters cause smbd trouble
• BZ - 493962 - samba needs patch to make it so that POSIX opens work correctly
• BZ - 518785 - restorecon: command not found after upgrade - leaves two samba-common versions
• BZ - 532094 - Can't mount cifs shares with credentials files.
• BZ - 585360 - Samba authentication problem against Windows Server 2008 R2

CVEs

(none)

References

(none)