samba - Apr 2020 - Latest Ubuntu 16.04 samba upgrade breaks external ldap auth (CVE-2020-10704)

On Wed, 2020-04-29 at 08:57 +0100, Rowland penny via samba
wrote:
> On 29/04/2020 08:26, Lorenzo Milesi via samba wrote:
> > Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke external
LDAP auth probably with the following error:
> > 
> > LDAP request size (81) exceeds (0)
> > 
> > samba-tool outputs the following when ran:
> > 
> > Unknown parameter encountered: "ldap max anonymous request
size"
> > Ignoring unknown parameter "ldap max anonymous request size"
> > Unknown parameter encountered: "ldap max authenticated request
size"
> > Ignoring unknown parameter "ldap max authenticated request
size"
> > Unknown parameter encountered: "ldap max search request
size"
> > Ignoring unknown parameter "ldap max search request size"
> > 
> > These params aren't defined anywhere, and even if placed in
smb.conf the error won't change.
> > 
> > Any workaround for this old version?
> > 
> > thanks
> > 
> > 
> >
https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog
> > 
> If you are having problems with this on 4.3.11, then you need to raise a 
> bug report to Ubuntu.
> 
> Samba has provided patches for 4.10, 4.11 and 4.12, Ubuntu must have 
> backported these to 4.3.11
Rowland is correct here.  
>From the description this looks like an untested backport.
Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Wed, 2020-04-29 at 21:10 +1200, Andrew Bartlett via samba
wrote:
> On Wed, 2020-04-29 at 08:57 +0100, Rowland penny via samba wrote:
> > On 29/04/2020 08:26, Lorenzo Milesi via samba wrote:
> > > Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke
external LDAP auth probably with the following error:
> > > 
> > > LDAP request size (81) exceeds (0)
> > > 
> > > samba-tool outputs the following when ran:
> > > 
> > > Unknown parameter encountered: "ldap max anonymous request
size"
> > > Ignoring unknown parameter "ldap max anonymous request
size"
> > > Unknown parameter encountered: "ldap max authenticated
request size"
> > > Ignoring unknown parameter "ldap max authenticated request
size"
> > > Unknown parameter encountered: "ldap max search request
size"
> > > Ignoring unknown parameter "ldap max search request
size"
> > > 
> > > These params aren't defined anywhere, and even if placed in
smb.conf the error won't change.
> > > 
> > > Any workaround for this old version?
> > > 
> > > thanks
> > > 
> > > 
> > >
https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog
> > > 
> > If you are having problems with this on 4.3.11, then you need to raise
a
> > bug report to Ubuntu.
> > 
> > Samba has provided patches for 4.10, 4.11 and 4.12, Ubuntu must have 
> > backported these to 4.3.11
> 
> Rowland is correct here.  
> 
> From the description this looks like an untested backport.
In their defence, since 10374dde0f9d2e13496198b90c0c6e592bfef86c in
Samba 4.4, smb.conf generation has been entirely automated, but for
Samba 4.3 the param_table in lib/param/param_table.c still needed to be
filled in.

So it would not have been obvious that the patch wasn't complete.

I've CC'ed the Marc as the Ubuntu developer in the changelog. 

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

the fixed version has been released by ubuntu

Le 29/04/2020 ? 11:41, Andrew Bartlett via samba a
?crit?:
> On Wed, 2020-04-29 at 21:10 +1200, Andrew Bartlett via samba wrote:
>> On Wed, 2020-04-29 at 08:57 +0100, Rowland penny via samba wrote:
>>> On 29/04/2020 08:26, Lorenzo Milesi via samba wrote:
>>>> Latest Samba4 upgrade (4.3.11+dfsg-0ubuntu0.16.04.26) broke
external LDAP auth probably with the following error:
>>>>
>>>> LDAP request size (81) exceeds (0)
>>>>
>>>> samba-tool outputs the following when ran:
>>>>
>>>> Unknown parameter encountered: "ldap max anonymous request
size"
>>>> Ignoring unknown parameter "ldap max anonymous request
size"
>>>> Unknown parameter encountered: "ldap max authenticated
request size"
>>>> Ignoring unknown parameter "ldap max authenticated request
size"
>>>> Unknown parameter encountered: "ldap max search request
size"
>>>> Ignoring unknown parameter "ldap max search request
size"
>>>>
>>>> These params aren't defined anywhere, and even if placed in
smb.conf the error won't change.
>>>>
>>>> Any workaround for this old version?
>>>>
>>>> thanks
>>>>
>>>>
>>>>
https://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.11+dfsg-0ubuntu0.16.04.26/changelog
>>>>
>>> If you are having problems with this on 4.3.11, then you need to
raise a
>>> bug report to Ubuntu.
>>>
>>> Samba has provided patches for 4.10, 4.11 and 4.12, Ubuntu must
have
>>> backported these to 4.3.11
>> Rowland is correct here.
>>
>>  From the description this looks like an untested backport.
> In their defence, since 10374dde0f9d2e13496198b90c0c6e592bfef86c in
> Samba 4.4, smb.conf generation has been entirely automated, but for
> Samba 4.3 the param_table in lib/param/param_table.c still needed to be
> filled in.
>
> So it would not have been obvious that the patch wasn't complete.
>
> I've CC'ed the Marc as the Ubuntu developer in the changelog.
>
> Andrew Bartlett
-- 
Arnaud FLORENT
IRIS Technologies