[Pkg-samba-maint] [Git][samba-team/samba][master] 3 commits: d/NEWS: split it into different $package.NEWS files
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Tue May 3 20:55:22 BST 2022
Michael Tokarev pushed to branch master at Debian Samba Team / samba
Commits:
cdd9c2b6 by Michael Tokarev at 2022-05-03T15:42:12+03:00
d/NEWS: split it into different $package.NEWS files
Most news items actually belong to the samba package,
but some are for winbind or libpam-winbind too.
There's no reason to ship the same NEWS items in
unrelated library packages.
- - - - -
d1f05d5b by Michael Tokarev at 2022-05-03T16:00:04+03:00
d/upstream/metadata: add Bug-Database
- - - - -
5f67d36f by Michael Tokarev at 2022-05-03T17:56:54+03:00
d/samba.postinst: only create sambashare group and usershare directory on new install
do not create sambashare group and /var/lib/samba/usershare
directory if upgrading from previous version of samba.
We configure these on new install so our default config
works, but let the admin to configure things differently,
without forcing them to have this group and directory.
- - - - -
6 changed files:
- debian/NEWS
- + debian/libpam-winbind.NEWS
- + debian/samba.NEWS
- debian/samba.postinst
- debian/upstream/metadata
- + debian/winbind.NEWS
Changes:
=====================================
debian/NEWS
=====================================
@@ -1,98 +1,3 @@
-samba (2:4.6.5+dfsg-5) unstable; urgency=medium
-
- The samba service has been removed. Use the individual services instead:
-
- * nmbd
- * smbd
- * samba-ad-dc
-
- -- Mathieu Parent <sathieu at debian.org> Tue, 18 Jul 2017 22:52:05 +0200
-
-samba (2:4.4.1+dfsg-1) experimental; urgency=medium
-
- This Samba security addresses both Denial of Service and Man in
- the Middle vulnerabilities.
-
- Both of these changes implement new smb.conf options and a number
- of stricter behaviours to prevent Man in the Middle attacks on our
- network services, as a client and as a server.
-
- Between these changes, compatibility with a large number of older
- software versions has been lost in the default configuration.
-
- See the release notes in WHATNEW.txt for more information.
-
-
- Here are some additional hints how to work around the new stricter default behaviors:
-
- * As an AD DC server, only Windows 2000 and Samba 3.6 and above as
- a domain member are supported out of the box. Other smb file
- servers as domain members are also fine out of the box.
-
- * As an AD DC server, with default setting of "ldap server require
- strong auth", LDAP clients connecting over ldaps:// or START_TLS
- will be allowed to perform simple LDAP bind only.
-
- The preferred configuration for LDAP clients is to use SASL
- GSSAPI directly over ldap:// without using ldaps:// or
- START_TLS.
-
- To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or
- NTLMSSP) sign/seal protection must be used by the client and
- server should be configured with "ldap server require strong
- auth = allow_sasl_over_tls".
-
- Consult OpenLDAP documentation how to set sign/seal protection
- in ldap.conf.
-
- For SSSD client configured with "id_provider = ad" or
- "id_provider = ldap" with "auth_provider = krb5", see
- sssd-ldap(5) manual for details on TLS session handling.
-
- * As a File Server, compatibility with the Linux Kernel cifs
- client depends on which configuration options are selected, please
- use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
-
- * As a file or printer client and as a domain member, out of the
- box compatibility with Samba less than 4.0 and other SMB/CIFS
- servers, depends on support for SMB signing or SMB2 on the
- server, which is often disabled or absent. You may need to
- adjust the "client ipc signing" to "no" in these cases.
-
- * In case of an upgrade from versions before 4.2.0, you might run
- into problems as a domain member. The out of the box compatibility
- with Samba 3.x domain controllers requires NETLOGON features only
- available in Samba 3.2 and above.
-
- However, all of these can be worked around by setting smb.conf
- options in Samba, see WHATSNEW.txt the 4.2.0 release notes at
- https://www.samba.org/samba/history/samba-4.2.0.html and the Samba
- wiki for details, workarounds and suggested security-improving
- changes to these and other software packages.
-
-
- Suggested further improvements after patching:
-
- It is recommended that administrators set these additional options,
- if compatible with their network environment:
-
- server signing = mandatory
- ntlm auth = no
-
- Without "server signing = mandatory", Man in the Middle attacks
- are still possible against our file server and
- classic/NT4-like/Samba3 Domain controller. (It is now enforced on
- Samba's AD DC.) Note that this has heavy impact on the file server
- performance, so you need to decide between performance and
- security. These Man in the Middle attacks for smb file servers are
- well known for decades.
-
- Without "ntlm auth = no", there may still be clients not using
- NTLMv2, and these observed passwords may be brute-forced easily using
- cloud-computing resources or rainbow tables.
-
- -- Andrew Bartlett <abartlet+debian at catalyst.net.nz> Tue, 12 Apr 2016 16:18:57 +1200
-
samba (2:4.0.10+dfsg-3) unstable; urgency=low
The SWAT package is no longer available.
@@ -107,96 +12,3 @@ samba (2:4.0.10+dfsg-3) unstable; urgency=low
https://lists.samba.org/archive/samba-technical/2013-February/090572.html
-- Ivo De Decker <ivo.dedecker at ugent.be> Tue, 22 Oct 2013 07:52:54 +0200
-
-samba (2:3.6.5-2) unstable; urgency=low
-
- NSS modules have been split out from libpam-winbind to
- libnss-winbind.
-
- If Recommends: installs are disabled on your system you may need
- to manually install the libnss-winbind package after upgrading
- from former versions of winbind (for instance from squeeze) or
- from former versions of libpam-winbind.
-
- -- Christian Perrier <bubulle at debian.org> Mon, 07 May 2012 22:16:32 +0200
-
-samba (2:3.5.11~dfsg-3) unstable; urgency=low
-
- PAM modules and NSS modules have been split out from the winbind
- package into libpam-winbind.
-
- If Recommends: installs are disabled on your system you may need
- to manually install the libpam-winbind package after upgrading
- from former versions of winbind (for instance from squeeze)
-
- -- Steve Langasek <vorlon at debian.org> Fri, 21 Oct 2011 20:00:13 +0000
-
-samba (2:3.4.0-1) unstable; urgency=low
-
- Default passdb backend changed in samba 3.4.0 and above
-
- Beginning with samba 3.4.0, the default setting for "passdb
- backend" changed from "smbpasswd" to "tdbsam".
-
- If your smb.conf file does not have an explicit mention of
- "passdb backend" when upgrading from pre-3.4.0 versions of
- samba, it is likely that users will no longer be able to
- authenticate.
-
- As a consequence of all this, if you're upgrading from lenny
- and have no setting of "passdb backend" in smb.conf, you MUST
- add "passdb backend = smbpasswd" in order to keep your samba
- server's behaviour.
-
- As Debian packages of samba explicitly set "passdb backend = tdbsam"
- by default since etch, very few users should need to modify their
- settings.
-
- -- Christian Perrier <bubulle at debian.org> Tue, 07 Jul 2009 20:42:19 +0200
-
-samba (3.0.27a-2) unstable; urgency=low
-
- Weak authentication methods are disabled by default
-
- Beginning with this version, plaintext authentication is disabled for
- clients and lanman authentication is disabled for both clients and
- servers. Lanman authentication is not needed for Windows
- NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
- 95/98/ME clients (or servers) you may need to set lanman auth (or client
- lanman auth) to yes in your smb.conf.
-
- The "lanman auth = no" setting will also cause lanman password hashes to
- be deleted from smbpasswd and prevent new ones from being written, so
- that these can't be subjected to brute-force password attacks. This
- means that re-enabling lanman auth after it has been disabled is more
- difficult; it is therefore advisable that you re-enable the option as
- soon as possible if you think you will need to support Win9x clients.
-
- Client support for plaintext passwords is not needed for recent Windows
- servers, and in fact this behavior change makes the Samba client behave
- in a manner consistent with all Windows clients later than Windows 98.
- However, if you need to connect to a Samba server that does not have
- encrypted password support enabled, or to another server that does not
- support NTLM authentication, you will need to set
- "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
-
- -- Steve Langasek <vorlon at debian.org> Sat, 24 Nov 2007 00:23:37 -0800
-
-samba (3.0.26a-2) unstable; urgency=low
-
- Default printing system has changed from BSD to CUPS
-
- Previous versions of this package were configured to use BSD lpr as the
- default printing system. With this version of Samba, the default has
- been changed to CUPS for consistency with the current default printer
- handling in the rest of the system.
-
- If you wish to continue using the BSD printing interface from Samba, you
- will need to set "printing = bsd" manually in /etc/samba/smb.conf. If
- you wish to use CUPS printing but have previously set any of the
- "print command", "lpq command", or "lprm command" options in smb.conf,
- you will want to remove these settings from your config. Otherwise, if
- you have the cupsys package installed, Samba should begin to use it
- automatically with no action on your part.
-
- -- Steve Langasek <vorlon at debian.org> Wed, 14 Nov 2007 17:19:36 -0800
=====================================
debian/libpam-winbind.NEWS
=====================================
@@ -0,0 +1,11 @@
+samba (2:3.6.5-2) unstable; urgency=low
+
+ NSS modules have been split out from libpam-winbind to
+ libnss-winbind.
+
+ If Recommends: installs are disabled on your system you may need
+ to manually install the libnss-winbind package after upgrading
+ from former versions of winbind (for instance from squeeze) or
+ from former versions of libpam-winbind.
+
+ -- Christian Perrier <bubulle at debian.org> Mon, 07 May 2012 22:16:32 +0200
=====================================
debian/samba.NEWS
=====================================
@@ -0,0 +1,164 @@
+samba (2:4.6.5+dfsg-5) unstable; urgency=medium
+
+ The samba service has been removed. Use the individual services instead:
+
+ * nmbd
+ * smbd
+ * samba-ad-dc
+
+ -- Mathieu Parent <sathieu at debian.org> Tue, 18 Jul 2017 22:52:05 +0200
+
+samba (2:4.4.1+dfsg-1) experimental; urgency=medium
+
+ This Samba security addresses both Denial of Service and Man in
+ the Middle vulnerabilities.
+
+ Both of these changes implement new smb.conf options and a number
+ of stricter behaviours to prevent Man in the Middle attacks on our
+ network services, as a client and as a server.
+
+ Between these changes, compatibility with a large number of older
+ software versions has been lost in the default configuration.
+
+ See the release notes in WHATNEW.txt for more information.
+
+
+ Here are some additional hints how to work around the new stricter default behaviors:
+
+ * As an AD DC server, only Windows 2000 and Samba 3.6 and above as
+ a domain member are supported out of the box. Other smb file
+ servers as domain members are also fine out of the box.
+
+ * As an AD DC server, with default setting of "ldap server require
+ strong auth", LDAP clients connecting over ldaps:// or START_TLS
+ will be allowed to perform simple LDAP bind only.
+
+ The preferred configuration for LDAP clients is to use SASL
+ GSSAPI directly over ldap:// without using ldaps:// or
+ START_TLS.
+
+ To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or
+ NTLMSSP) sign/seal protection must be used by the client and
+ server should be configured with "ldap server require strong
+ auth = allow_sasl_over_tls".
+
+ Consult OpenLDAP documentation how to set sign/seal protection
+ in ldap.conf.
+
+ For SSSD client configured with "id_provider = ad" or
+ "id_provider = ldap" with "auth_provider = krb5", see
+ sssd-ldap(5) manual for details on TLS session handling.
+
+ * As a File Server, compatibility with the Linux Kernel cifs
+ client depends on which configuration options are selected, please
+ use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
+
+ * As a file or printer client and as a domain member, out of the
+ box compatibility with Samba less than 4.0 and other SMB/CIFS
+ servers, depends on support for SMB signing or SMB2 on the
+ server, which is often disabled or absent. You may need to
+ adjust the "client ipc signing" to "no" in these cases.
+
+ * In case of an upgrade from versions before 4.2.0, you might run
+ into problems as a domain member. The out of the box compatibility
+ with Samba 3.x domain controllers requires NETLOGON features only
+ available in Samba 3.2 and above.
+
+ However, all of these can be worked around by setting smb.conf
+ options in Samba, see WHATSNEW.txt the 4.2.0 release notes at
+ https://www.samba.org/samba/history/samba-4.2.0.html and the Samba
+ wiki for details, workarounds and suggested security-improving
+ changes to these and other software packages.
+
+
+ Suggested further improvements after patching:
+
+ It is recommended that administrators set these additional options,
+ if compatible with their network environment:
+
+ server signing = mandatory
+ ntlm auth = no
+
+ Without "server signing = mandatory", Man in the Middle attacks
+ are still possible against our file server and
+ classic/NT4-like/Samba3 Domain controller. (It is now enforced on
+ Samba's AD DC.) Note that this has heavy impact on the file server
+ performance, so you need to decide between performance and
+ security. These Man in the Middle attacks for smb file servers are
+ well known for decades.
+
+ Without "ntlm auth = no", there may still be clients not using
+ NTLMv2, and these observed passwords may be brute-forced easily using
+ cloud-computing resources or rainbow tables.
+
+ -- Andrew Bartlett <abartlet+debian at catalyst.net.nz> Tue, 12 Apr 2016 16:18:57 +1200
+
+samba (2:3.4.0-1) unstable; urgency=low
+
+ Default passdb backend changed in samba 3.4.0 and above
+
+ Beginning with samba 3.4.0, the default setting for "passdb
+ backend" changed from "smbpasswd" to "tdbsam".
+
+ If your smb.conf file does not have an explicit mention of
+ "passdb backend" when upgrading from pre-3.4.0 versions of
+ samba, it is likely that users will no longer be able to
+ authenticate.
+
+ As a consequence of all this, if you're upgrading from lenny
+ and have no setting of "passdb backend" in smb.conf, you MUST
+ add "passdb backend = smbpasswd" in order to keep your samba
+ server's behaviour.
+
+ As Debian packages of samba explicitly set "passdb backend = tdbsam"
+ by default since etch, very few users should need to modify their
+ settings.
+
+ -- Christian Perrier <bubulle at debian.org> Tue, 07 Jul 2009 20:42:19 +0200
+
+samba (3.0.27a-2) unstable; urgency=low
+
+ Weak authentication methods are disabled by default
+
+ Beginning with this version, plaintext authentication is disabled for
+ clients and lanman authentication is disabled for both clients and
+ servers. Lanman authentication is not needed for Windows
+ NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
+ 95/98/ME clients (or servers) you may need to set lanman auth (or client
+ lanman auth) to yes in your smb.conf.
+
+ The "lanman auth = no" setting will also cause lanman password hashes to
+ be deleted from smbpasswd and prevent new ones from being written, so
+ that these can't be subjected to brute-force password attacks. This
+ means that re-enabling lanman auth after it has been disabled is more
+ difficult; it is therefore advisable that you re-enable the option as
+ soon as possible if you think you will need to support Win9x clients.
+
+ Client support for plaintext passwords is not needed for recent Windows
+ servers, and in fact this behavior change makes the Samba client behave
+ in a manner consistent with all Windows clients later than Windows 98.
+ However, if you need to connect to a Samba server that does not have
+ encrypted password support enabled, or to another server that does not
+ support NTLM authentication, you will need to set
+ "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
+
+ -- Steve Langasek <vorlon at debian.org> Sat, 24 Nov 2007 00:23:37 -0800
+
+samba (3.0.26a-2) unstable; urgency=low
+
+ Default printing system has changed from BSD to CUPS
+
+ Previous versions of this package were configured to use BSD lpr as the
+ default printing system. With this version of Samba, the default has
+ been changed to CUPS for consistency with the current default printer
+ handling in the rest of the system.
+
+ If you wish to continue using the BSD printing interface from Samba, you
+ will need to set "printing = bsd" manually in /etc/samba/smb.conf. If
+ you wish to use CUPS printing but have previously set any of the
+ "print command", "lpq command", or "lprm command" options in smb.conf,
+ you will want to remove these settings from your config. Otherwise, if
+ you have the cupsys package installed, Samba should begin to use it
+ automatically with no action on your part.
+
+ -- Steve Langasek <vorlon at debian.org> Wed, 14 Nov 2007 17:19:36 -0800
=====================================
debian/samba.postinst
=====================================
@@ -55,15 +55,17 @@ mask_services() {
# them to be readable only by root.
umask 022
-# add the sambashare group
-if ! getent group sambashare > /dev/null 2>&1
+if [ configure = "$1" -a -z "$2" ] # only do this if not upgrading
then
+ # add the sambashare group
+ if ! getent group sambashare > /dev/null 2>&1
+ then
addgroup --system sambashare
-fi
-
-if [ ! -e /var/lib/samba/usershares ]
-then
+ fi
+ if [ ! -e /var/lib/samba/usershares ]
+ then
install -d -m 1770 -g sambashare /var/lib/samba/usershares
+ fi
fi
# mimic source4/smbd/server.c and mask service before it fails
=====================================
debian/upstream/metadata
=====================================
@@ -1,2 +1,3 @@
---
Repository: https://git.samba.org/samba.git
+Bug-Database: https://bugzilla.samba.org/
=====================================
debian/winbind.NEWS
=====================================
@@ -0,0 +1,10 @@
+samba (2:3.5.11~dfsg-3) unstable; urgency=low
+
+ PAM modules and NSS modules have been split out from the winbind
+ package into libpam-winbind.
+
+ If Recommends: installs are disabled on your system you may need
+ to manually install the libpam-winbind package after upgrading
+ from former versions of winbind (for instance from squeeze)
+
+ -- Steve Langasek <vorlon at debian.org> Fri, 21 Oct 2011 20:00:13 +0000
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/30577a7ac7d632a407531a39014d1c7063e9c4b5...5f67d36ff617fa7e9609ff2e3baa6ed1a533f5a5
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/30577a7ac7d632a407531a39014d1c7063e9c4b5...5f67d36ff617fa7e9609ff2e3baa6ed1a533f5a5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20220503/323f1444/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list