Ubuntu
samba package

Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds (0)

Bug #1875798 reported by Maxxer
278
This bug affects 5 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
Critical
Unassigned
Xenial
Fix Released
Critical
Marc Deslauriers

Bug Description

Latest security update breaks LDAP auth

LDAP request size (81) exceeds (0)

Samba works but LDAP auth for external applications is not working anymore with the error above

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: samba 2:4.3.11+dfsg-0ubuntu0.16.04.26
ProcVersionSignature: Ubuntu 4.4.0-177.207-generic 4.4.214
Uname: Linux 4.4.0-177-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.23
Architecture: amd64
BothFailedConnect: Yes
Date: Wed Apr 29 08:50:49 2020
InstallationDate: Installed on 2018-12-13 (502 days ago)
InstallationMedia: Ubuntu-Server 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=it_IT.UTF-8
 SHELL=/bin/bash
SambaServerRegression: Yes
SmbConfIncluded: No
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.logrotate.d.samba: [modified]
mtime.conffile..etc.logrotate.d.samba: 2019-05-20T15:58:46.634276
upstart.nmbd.override: manual
upstart.smbd.override: manual

CVE References

Revision history for this message
Maxxer (lorenzo-milesi) wrote :
Revision history for this message
Maxxer (lorenzo-milesi) wrote :

samba-tool commands throws the following errors:

Unknown parameter encountered: "ldap max anonymous request size"
Ignoring unknown parameter "ldap max anonymous request size"
Unknown parameter encountered: "ldap max authenticated request size"
Ignoring unknown parameter "ldap max authenticated request size"
Unknown parameter encountered: "ldap max search request size"
Ignoring unknown parameter "ldap max search request size"

Adding these params to smb.conf doesn't solve, instead just doubles the above messages

ldap max search request size = 1000
ldap max search request size = 1000
ldap max anonymous request size = 1000

Revision history for this message
Marcel Waldvogel (marcel.waldvogel) wrote :

This also affects us. Error message went away by downgrading to original xenial version with

apt-get install samba=2:4.3.8+dfsg-0ubuntu1 samba-common=2:4.3.8+dfsg-0ubuntu1 samba-common-bin=2:4.3.8+dfsg-0ubuntu1 libwbclient0=2:4.3.8+dfsg-0ubuntu1 samba-libs=2:4.3.8+dfsg-0ubuntu1 python-samba=2:4.3.8+dfsg-0ubuntu1 samba-dsdb-modules=2:4.3.8+dfsg-0ubuntu1
apt-mark hold samba

But still not everything is working, keep you posted.

Revision history for this message
Maxxer (lorenzo-milesi) wrote :

On Ubuntu16.04 I managed to download (almost all) old packages from security.ubuntu.com and installing them recovered

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
Marcel Waldvogel (marcel.waldvogel) wrote :

Downgrading everything which was 2:4.3.11+dfsg-0ubuntu0.16.04.26 to 2:4.3.8+dfsg-0ubuntu1 worked for us. Here is the command we used:

apt-get install samba=2:4.3.8+dfsg-0ubuntu1 samba-common=2:4.3.8+dfsg-0ubuntu1 samba-common-bin=2:4.3.8+dfsg-0ubuntu1 libwbclient0=2:4.3.8+dfsg-0ubuntu1 samba-libs=2:4.3.8+dfsg-0ubuntu1 python-samba=2:4.3.8+dfsg-0ubuntu1 samba-dsdb-modules=2:4.3.8+dfsg-0ubuntu1 winbind=2:4.3.8+dfsg-0ubuntu1 samba-vfs-modules=2:4.3.8+dfsg-0ubuntu1 libsmbclient=2:4.3.8+dfsg-0ubuntu1

apt-mark hold samba

If you have other packages installed, you can list all in need of a downgrade with:

apt list | grep 2:4.3.11+dfsg-0ubuntu0.16.04.26 | grep installed

Looking forward to a new version of the security fix which does not disable LDAP.

Revision history for this message
Marcel Waldvogel (marcel.waldvogel) wrote :

The command for automated downgrades (be careful!) is:

apt list | grep 2:4.3.11+dfsg-0ubuntu0.16.04.26 | grep installed | sed 's,/.*,=2:4.3.8+dfsg-0ubuntu1,' | xargs apt install

If the `apt install` would do what you expect, add '-y' to the end and run again.

Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu):
importance: Undecided → Critical
Changed in samba (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Apologies, this is indeed a regression in Ubuntu 16.04 LTS. I am working on a fix and will have updated packages to test later today.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have uploaded a fixed package to the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once the package has finished building, please confirm that it fixes the regression in your environment, and I will immediately publish it as a security fix. Thanks!

information type: Public → Public Security
Revision history for this message
Arnaud FLORENT (aflorent) wrote :

what is the source.list entry for this ppa please?

Revision history for this message
Chris Puttick (cputtick) wrote :

sudo add-apt-repository ppa:ubuntu-security-proposed/ppa

(from https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Please make sure you don't install other packages from that PPA, just the samba ones.
You can either enable the PPA, install the samba packages only, then disable the PPA, or manually download the packages using the following link:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+sourcepub/11253699/+listing-archive-extra

Revision history for this message
Arnaud FLORENT (aflorent) wrote :

i downloaded and installed proposed packages manually

it fixes ldap query from ldapsearch and nslcd.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks aflorent for testing it.

Revision history for this message
Arnaud FLORENT (aflorent) wrote :

tested without any extra ldap request size config param

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.27

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.27) xenial-security; urgency=medium

  * SECURITY REGRESSION: new LDAP options not recognized (LP: #1875798)
    - debian/patches/CVE-2020-10704-3.patch: move options to appropriate
      location in lib/param/loadparm.c.
    - debian/patches/CVE-2020-10704-5.patch: move option to appropriate
      location in lib/param/loadparm.c.
    - debian/patches/CVE-2020-10704-7.patch: add new options to param_table
      in lib/param/param_table.c.

 -- Marc Deslauriers <email address hidden> Wed, 29 Apr 2020 07:50:47 -0400

Changed in samba (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have now published the regression fix:

https://usn.ubuntu.com/4341-3/

Please let me know if you still experience issues after installing the new package. Thanks.

Changed in samba (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Cesar Rodrigues (cesarmabel) wrote :

It works perfectly now, with apt-get upgrade!

Thanks!

Mathew Hodson (mhodson)
Changed in samba (Ubuntu):
status: Invalid → Fix Released
tags: added: regression-update
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.