Lorenzo Milesi
2020-Apr-29 07:26 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke external LDAP auth probably with the following error: LDAP request size (81) exceeds (0) samba-tool outputs the following when ran: Unknown parameter encountered: "ldap max anonymous request size" Ignoring unknown parameter "ldap max anonymous request size" Unknown parameter encountered: "ldap max authenticated request size" Ignoring unknown parameter "ldap max authenticated request size" Unknown parameter encountered: "ldap max search request size" Ignoring unknown parameter "ldap max search request size" These params aren't defined anywhere, and even if placed in smb.conf the error won't change. Any workaround for this old version? thanks https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
L.P.H. van Belle
2020-Apr-29 07:38 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
Hai, Well, my advice here is.. Your using Ubuntu 16.04 which is EOL this month. So the best is to upgrade to or 18.04 or goto 20.04. And else i suggest you read : https://www.samba.org/samba/security/CVE-2020-10704.html * For authenticated connections the maximum packet size is controlled by the smb.conf parameter "ldap max authenticated request size" * For anonymous connections the maximum packet size is controlled by the smb.conf parameter "ldap max anonymous request size" * For searches, the maximum packet size is controlled by the smb.conf parameter "ldap max search request size" Sorry, you have to contact the ubuntu security team for this one. ( but i suggest you upgrade the OS ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Lorenzo Milesi via samba > Verzonden: woensdag 29 april 2020 9:27 > Aan: samba > Onderwerp: [Samba] Latest Ubuntu 16.04 samba upgrade breaks > external ldap auth (CVE-2020-10704) > Urgentie: Hoog > > Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke > external LDAP auth probably with the following error: > > LDAP request size (81) exceeds (0) > > samba-tool outputs the following when ran: > > Unknown parameter encountered: "ldap max anonymous request size" > Ignoring unknown parameter "ldap max anonymous request size" > Unknown parameter encountered: "ldap max authenticated request size" > Ignoring unknown parameter "ldap max authenticated request size" > Unknown parameter encountered: "ldap max search request size" > Ignoring unknown parameter "ldap max search request size" > > These params aren't defined anywhere, and even if placed in > smb.conf the error won't change. > > Any workaround for this old version? > > thanks > > > https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/sam > ba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog > > -- > Lorenzo Milesi - lorenzo.milesi at yetopen.it > > YetOpen S.r.l. - https://www.yetopen.it/ > Via Salerno 18 - 23900 Lecco - ITALY - > Tel +39 0341 220 205 - Fax +39 178 6070 222 > > Think green - Non stampare questa e-mail se non necessario / > Don't print this email unless necessary > > -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- > Tutte le informazioni contenute in questo messaggio sono > riservate ed a uso esclusivo del destinatario. > Tutte le informazioni ivi contenute, compresi eventuali > allegati, sono da ritenere confidenziali e riservate secondo i termini > del vigente D.Lgs. 196/2003 in materia di privacy e del > Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita > l'utilizzazione ulteriore non autorizzata. > Nel caso in cui questo messaggio Le fosse pervenuto per > errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, > a non inoltrarlo a terzi e ad avvertirci non appena possibile. > Grazie. > > Confidentiality notice: this email message including any > attachment is for the sole use of the intended recipient and > may contain confidential and privileged information; > pursuant to Legislative Decree 196/2003 and the European > General Data Protection Regulation 679/2016 - GDPR - any > unauthorized review, use, disclosure or distribution > is prohibited. If you are not the intended recepient please > delete this message without copying, printing or forwarding > it to others, and alert us as soon as possible. > Thank you. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Lorenzo Milesi
2020-Apr-29 07:54 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
> And else i suggest you read : > https://www.samba.org/samba/security/CVE-2020-10704.html > > * For authenticated connections the maximum packet size is controlled by > the smb.conf parameter "ldap max authenticated request size" > > * For anonymous connections the maximum packet size is controlled by > the smb.conf parameter "ldap max anonymous request size" > > * For searches, the maximum packet size is controlled by > the smb.conf parameter "ldap max search request size"As I said even adding these params the error persists> Sorry, you have to contact the ubuntu security team for this one. > ( but i suggest you upgrade the OS )I did already, I hoped to have a possible workaround despite the old vesion. -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Rowland penny
2020-Apr-29 07:57 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
On 29/04/2020 08:26, Lorenzo Milesi via samba wrote:> Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke external LDAP auth probably with the following error: > > LDAP request size (81) exceeds (0) > > samba-tool outputs the following when ran: > > Unknown parameter encountered: "ldap max anonymous request size" > Ignoring unknown parameter "ldap max anonymous request size" > Unknown parameter encountered: "ldap max authenticated request size" > Ignoring unknown parameter "ldap max authenticated request size" > Unknown parameter encountered: "ldap max search request size" > Ignoring unknown parameter "ldap max search request size" > > These params aren't defined anywhere, and even if placed in smb.conf the error won't change. > > Any workaround for this old version? > > thanks > > > https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog >If you are having problems with this on 4.3.11, then you need to raise a bug report to Ubuntu. Samba has provided patches for 4.10, 4.11 and 4.12, Ubuntu must have backported these to 4.3.11 Rowland
Remy Zandwijk
2020-Apr-29 08:36 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
> On 29 Apr 2020, at 09:38, L.P.H. van Belle via samba <samba at lists.samba.org> wrote: > > Well, my advice here is.. Your using Ubuntu 16.04 which is EOL this month.According to https://wiki.ubuntu.com/Releases it is EOL in April 2024 and standard support ends in April 2021.
Andrew Bartlett
2020-Apr-29 09:10 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
On Wed, 2020-04-29 at 08:57 +0100, Rowland penny via samba wrote:> On 29/04/2020 08:26, Lorenzo Milesi via samba wrote: > > Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke external LDAP auth probably with the following error: > > > > LDAP request size (81) exceeds (0) > > > > samba-tool outputs the following when ran: > > > > Unknown parameter encountered: "ldap max anonymous request size" > > Ignoring unknown parameter "ldap max anonymous request size" > > Unknown parameter encountered: "ldap max authenticated request size" > > Ignoring unknown parameter "ldap max authenticated request size" > > Unknown parameter encountered: "ldap max search request size" > > Ignoring unknown parameter "ldap max search request size" > > > > These params aren't defined anywhere, and even if placed in smb.conf the error won't change. > > > > Any workaround for this old version? > > > > thanks > > > > > > https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog > > > If you are having problems with this on 4.3.11, then you need to raise a > bug report to Ubuntu. > > Samba has provided patches for 4.10, 4.11 and 4.12, Ubuntu must have > backported these to 4.3.11Rowland is correct here.>From the description this looks like an untested backport.Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
L.P.H. van Belle
2020-Apr-29 09:13 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
Hai Remy, Yes your right, but .. Ubuntu 16.04.6 LTS Xenial Xerus .. February 28, 2019 Release April 2021 EoSS and April 2024 EOL After april 2021.. Extended Security Maintenance.. ESM.. Extended Security Maintenance is a paid option through Ubuntu Advantage to get extended support and security updates for select server packages. Its just what you want. My advice is the same, update to 18.04 or 20.04 And i would say, if you are upgrading now, goto 20.04. The more versions appart ( samba and windows ) the harder compatibily will be. The more time it cost to get things right, why waist that precious time in old stuff. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Remy > Zandwijk via samba > Verzonden: woensdag 29 april 2020 10:37 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Latest Ubuntu 16.04 samba upgrade > breaks external ldap auth (CVE-2020-10704) > > > > On 29 Apr 2020, at 09:38, L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: > > > > Well, my advice here is.. Your using Ubuntu 16.04 which is > EOL this month. > > According to https://wiki.ubuntu.com/Releases it is EOL in > April 2024 and standard support ends in April 2021. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Billy Bob
2020-Apr-29 15:15 UTC
[Samba] Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)
There was a regression introduced with the last Samba update, which broke LDAP. Ubuntu has just released a fix. See? ?https://usn.ubuntu.com/4341-3/? ?for the advisory. On Wednesday, April 29, 2020, 02:27:32 AM CDT, Lorenzo Milesi via samba <samba at lists.samba.org> wrote: Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke external LDAP auth probably with the following error: LDAP request size (81) exceeds (0) samba-tool outputs the following when ran: Unknown parameter encountered: "ldap max anonymous request size" Ignoring unknown parameter "ldap max anonymous request size" Unknown parameter encountered: "ldap max authenticated request size" Ignoring unknown parameter "ldap max authenticated request size" Unknown parameter encountered: "ldap max search request size" Ignoring unknown parameter "ldap max search request size" These params aren't defined anywhere, and even if placed in smb.conf the error won't change. Any workaround for this old version? thanks https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba