samba-tool user password: uncaught exception when updating old password containing regular expression metacharacters
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba |
Unknown
|
Unknown
|
|||
samba (Ubuntu) |
Fix Released
|
Undecided
|
Michał Małoszewski | ||
Focal |
Fix Released
|
Undecided
|
Michał Małoszewski | ||
Jammy |
Fix Released
|
Undecided
|
Michał Małoszewski | ||
Kinetic |
Won't Fix
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
Undecided
|
Michał Małoszewski |
Bug Description
[Impact]
* Users of samba reported an issue on Focal, Jammy and Lunar while trying to update an old password containing regex metacharacters.
* This crash is caused by the fact, that 'opt_str' and 'secret_data' were not treated as literal characters in the regex pattern. The fix is to use the re.escape() function that will solve that issue.
[Test Plan]
We need to setup a VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server.
The first step is to create a dedicated virtual network for our tests.
The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "network1"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr0".
We need to setup a Samba AD DC server. Note that we have to use "-n virbr0" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy test1 -n virbr0 --vm
where <release-
$ lxc shell test1
# apt update
# ip a
Make sure to grab this VM's IP address.
# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE test1 test1.test.lan
_EOF_
# reboot
$ lxc shell test1
# apt install -y samba winbind python3-
# mv /etc/samba/smb.conf /etc/samba/
# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
# systemctl mask smbd.service nmbd.service winbind.service
# systemctl disable --now smbd.service nmbd.service winbind.service
# systemctl unmask samba-ad-dc.service
# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/
# systemctl disable --now systemd-
# unlink /etc/resolv.conf
# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
# reboot
This should be enough to configure Samba as an AD DC.
$ lxc shell test1
# smbpasswd -a ubuntu
You will be prompted for the password. Type in the one used in --password later on in the password change command.
# apt install smbclient
# smbclient -L <server_ip> -U ubuntu
Here for testing that, there is a need to set password age'ing to 0.
# samba-tool domain passwordsettings set --min-pwd-age=0
# samba-tool user password --username=ubuntu --password=
Example of failed output:
ERROR(<class 're.error'>): uncaught exception - missing ), unterminated subpattern at position 8
File "/usr/bin/
retval = cmd._run(
File "/usr/lib/
return self.subcommand
File "/usr/lib/
return self.subcommand
File "/usr/lib/
opts, args = parser.
File "/usr/lib/
stop = self._process_
File "/usr/lib/
self.
File "/usr/lib/
option.
File "/usr/lib/
return self.take_action(
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
pass_opt_re = re.compile(
File "/usr/lib/
return _compile(pattern, flags)
File "/usr/lib/
p = sre_compile.
File "/usr/lib/
p = sre_parse.parse(p, flags)
File "/usr/lib/
p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
File "/usr/lib/
itemsappend
File "/usr/lib/
raise source.
Example of successful output:
No error like that is present.
Message: Changed password OK
smbclient -L <server_ip> -U ubuntu
Type in the password used in --newpassword in the password change command.
You will be able to log in without any issues.
[Where problems could occur]
* There might be regression in the future related to handling credentials and authentication options.
-------
1) The release of Ubuntu I am using:
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04
2) The version of the package I am using
apt-cache policy python3-samba
$ apt-cache policy python3-samba
python3-samba:
Installed: 2:4.15.
Candidate: 2:4.15.
Version table:
2:
500 http://
*** 2:4.15.
500 http://
100 /var/lib/
2:
500 http://
3) What you expected to happen
I expected the old password to be updated with the provided new password
4) What happened instead
The old password was not updated and the error shown below occurred.
Furthermore, from the final error message:
source.
one can infer that the non-updated old password includes a ( character.
It looks like this is because in:
file: getopt.py,
function: _ensure_
line 201: pass_opt_re_str = "(.*[ ]+)(%s[= ]%s)([ ]*.*)" % (opt_str, secret_data)
the old password passed through argument secret_data is used as-is
to form a regular expression, instead of being properly escaped.
Suggested fix:
pass_opt_re_str = "(.*[ ]+)(%s[= ]%s)([ ]*.*)" % (re.escape(
ERROR(): uncaught exception - missing ), unterminated subpattern at position 8
File "/usr/bin/
retval = cmd._run(
File "/usr/lib/
return self.subcommand
File "/usr/lib/
return self.subcommand
File "/usr/lib/
opts, args = parser.
File "/usr/lib/
stop = self._process_
File "/usr/lib/
self.
File "/usr/lib/
option.
File "/usr/lib/
return self.take_action(
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
pass_opt_re = re.compile(
File "/usr/lib/
return _compile(pattern, flags)
File "/usr/lib/
p = sre_compile.
File "/usr/lib/
p = sre_parse.parse(p, flags)
File "/usr/lib/
p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
File "/usr/lib/
itemsappend
File "/usr/lib/
raise source.
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 3480 lines (+3080/-8)6 files modifieddebian/changelog (+2558/-0)
debian/control (+8/-6)
debian/rules (+1/-1)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+111/-1)
- git-ubuntu bot: Approve
- Simon Quigley (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 57 lines (+35/-0)3 files modifieddebian/changelog (+9/-0)
debian/patches/issue-when-updating-old-passwd-containing-regex-metachars.patch (+25/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Simon Quigley (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 57 lines (+35/-0)3 files modifieddebian/changelog (+9/-0)
debian/patches/issue-when-updating-old-passwd-containing-regex-metachars.patch (+25/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Simon Quigley (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 57 lines (+35/-0)3 files modifieddebian/changelog (+9/-0)
debian/patches/issue-when-updating-old-passwd-containing-regex-metachars.patch (+25/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server Reporter: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 741 lines (+683/-0)9 files modifieddebian/changelog (+15/-0)
debian/patches/lib-cmdline-Also-burn-the-password2-parameter-if-giv.patch (+41/-0)
debian/patches/lib-cmdline-Also-redact-newpassword-in-samba_cmdline.patch (+31/-0)
debian/patches/lib-cmdline-Return-if-the-commandline-was-redacted-i.patch (+69/-0)
debian/patches/python-Add-glue.burn_commandline-method.patch (+116/-0)
debian/patches/python-Move-PyList_AsStringList-to-common-code-so-we.patch (+158/-0)
debian/patches/python-Remove-const-from-PyList_AsStringList.patch (+82/-0)
debian/patches/samba-tool-Use-samba.glue.get_burnt_cmdline-rather-t.patch (+164/-0)
debian/patches/series (+7/-0)
description: | updated |
information type: | Private Security → Public |
Changed in samba (Ubuntu): | |
status: | New → Confirmed |
Changed in samba (Ubuntu): | |
assignee: | nobody → Michał Małoszewski (michal-maloszewski99) |
Changed in samba (Ubuntu): | |
status: | Confirmed → In Progress |
tags: | added: server-todo |
Changed in samba (Ubuntu Jammy): | |
assignee: | nobody → Michał Małoszewski (michal-maloszewski99) |
Changed in samba (Ubuntu Focal): | |
assignee: | nobody → Michał Małoszewski (michal-maloszewski99) |
Changed in samba (Ubuntu Lunar): | |
assignee: | nobody → Michał Małoszewski (michal-maloszewski99) |
Changed in samba (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in samba (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in samba (Ubuntu Kinetic): | |
status: | New → Won't Fix |
Changed in samba (Ubuntu Lunar): | |
status: | New → Confirmed |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in samba (Ubuntu Focal): | |
status: | Confirmed → In Progress |
Changed in samba (Ubuntu Jammy): | |
status: | Confirmed → In Progress |
Changed in samba (Ubuntu Lunar): | |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
description: | updated |
Changed in samba (Ubuntu Lunar): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed verification-needed-lunar |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Hello Renaud, thanks for the report; the samba team is working this on:
https:/ /bugzilla. samba.org/ show_bug. cgi?id= 15289 /gitlab. com/samba- team/samba/ -/merge_ requests/ 2902
https:/
Thanks