[Bug 1583324] Re: Samba won't start when an include statement in smb.conf has a variable substitution
Andreas Hasenack
andreas at canonical.com
Fri Aug 3 13:14:28 UTC 2018
** Description changed:
[Impact]
- * An explanation of the effects of the bug on users and
+ Samba in AD mode refuses to start when the smb.conf file contains an
+ include line with a variable substitution like "include =
+ /etc/samba/smb.conf.%U"
- * justification for backporting the fix to the stable release.
+ This happens because the initscript calls "samba-tool testparm" to
+ obtain a configuration parameter from smb.conf, and this testparm tool
+ fails because it doesn't expand the %U macro and fails to read
+ "/etc/samba/smb.conf." (note the ending dot).
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ Note that "samba-tool testparm" is different from just "testparm". The
+ latter doesn't fail. We could just replace one with the other in the
+ initscript, but later on in the process of provisioning an AD controller
+ this error is encountered again, so it's best to fix it properly.
[Test Case]
- * detailed instructions how to reproduce the bug
+ * install samba:
+ sudo apt install samba
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ * create /etc/samba/smb.conf with this content:
+ [global]
+ netbios name = samba
+ log file = /var/log/samba/log.%m
+ map to guest = Bad User
+ max log size = 1000
+ obey pam restrictions = Yes
+ pam password change = Yes
+ panic action = /usr/share/samba/panic-action %d
+ passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+ passwd program = /usr/bin/passwd %u
+ server string = %h server (Samba, Ubuntu)
+ unix password sync = Yes
+ usershare allow guests = Yes
+ idmap config * : backend = tdb
+ include = /etc/samba/smb.conf.%U
+
+ * run the command that fails:
+ ubuntu at trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt
+ ERROR: Unable to load default file
+ ubuntu at trusty-samba-include:~$ echo $?
+ 255
+
+ * install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file.
+ ubuntu at trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt
+ # Global parameters
+ [global]
+ netbios name = SAMBA
+ server string = %h server (Samba, Ubuntu)
+ map to guest = Bad User
+ obey pam restrictions = Yes
+ pam password change = Yes
+ passwd program = /usr/bin/passwd %u
+ passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+ unix password sync = Yes
+ log file = /var/log/samba/log.%m
+ max log size = 1000
+ usershare allow guests = Yes
+ panic action = /usr/share/samba/panic-action %d
+ idmap config * : backend = tdb
+ include = /etc/samba/smb.conf.%U
+ ubuntu at trusty-samba-include:~$ echo $?
+ 0
+
[Regression Potential]
- * discussion of how regressions are most likely to manifest as a result
+ * discussion of how regressions are most likely to manifest as a result
of this change.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
- * and address these questions in advance
-
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
+ * and address these questions in advance
[Original Description]
Samba refuses to start when the smb.conf file contains an include line
with a variable substitution like "include = /etc/samba/smb.conf.%U"
According to the man page for smb.conf, all but a few specific variable
substitutions should work.
include (G)
This allows you to include one config file inside another.
The file is included literally, as though typed in place.
It takes the standard substitutions, except %u, %P and %S.
The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but
instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that
this option automatically activates registry shares.
Default: include =
Example: include = /usr/local/samba/lib/admin_smb.conf
It is probably related to this bug in samba:
https://bugzilla.samba.org/show_bug.cgi?id=10722
Description: Ubuntu 16.04 LTS
Release: 16.04
samba:
Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Version table:
*** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500
500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
2:4.3.8+dfsg-0ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
** Description changed:
[Impact]
Samba in AD mode refuses to start when the smb.conf file contains an
include line with a variable substitution like "include =
/etc/samba/smb.conf.%U"
This happens because the initscript calls "samba-tool testparm" to
obtain a configuration parameter from smb.conf, and this testparm tool
fails because it doesn't expand the %U macro and fails to read
"/etc/samba/smb.conf." (note the ending dot).
Note that "samba-tool testparm" is different from just "testparm". The
latter doesn't fail. We could just replace one with the other in the
initscript, but later on in the process of provisioning an AD controller
this error is encountered again, so it's best to fix it properly.
+ The patch is straight from an upstream commit, and that code is in place
+ in the samba packages from bionic and cosmic already.
+
[Test Case]
* install samba:
sudo apt install samba
* create /etc/samba/smb.conf with this content:
[global]
- netbios name = samba
- log file = /var/log/samba/log.%m
- map to guest = Bad User
- max log size = 1000
- obey pam restrictions = Yes
- pam password change = Yes
- panic action = /usr/share/samba/panic-action %d
- passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
- passwd program = /usr/bin/passwd %u
- server string = %h server (Samba, Ubuntu)
- unix password sync = Yes
- usershare allow guests = Yes
- idmap config * : backend = tdb
- include = /etc/samba/smb.conf.%U
+ netbios name = samba
+ log file = /var/log/samba/log.%m
+ map to guest = Bad User
+ max log size = 1000
+ obey pam restrictions = Yes
+ pam password change = Yes
+ panic action = /usr/share/samba/panic-action %d
+ passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+ passwd program = /usr/bin/passwd %u
+ server string = %h server (Samba, Ubuntu)
+ unix password sync = Yes
+ usershare allow guests = Yes
+ idmap config * : backend = tdb
+ include = /etc/samba/smb.conf.%U
* run the command that fails:
ubuntu at trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt
ERROR: Unable to load default file
ubuntu at trusty-samba-include:~$ echo $?
255
* install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file.
ubuntu at trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt
# Global parameters
[global]
- netbios name = SAMBA
- server string = %h server (Samba, Ubuntu)
- map to guest = Bad User
- obey pam restrictions = Yes
- pam password change = Yes
- passwd program = /usr/bin/passwd %u
- passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
- unix password sync = Yes
- log file = /var/log/samba/log.%m
- max log size = 1000
- usershare allow guests = Yes
- panic action = /usr/share/samba/panic-action %d
- idmap config * : backend = tdb
- include = /etc/samba/smb.conf.%U
+ netbios name = SAMBA
+ server string = %h server (Samba, Ubuntu)
+ map to guest = Bad User
+ obey pam restrictions = Yes
+ pam password change = Yes
+ passwd program = /usr/bin/passwd %u
+ passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+ unix password sync = Yes
+ log file = /var/log/samba/log.%m
+ max log size = 1000
+ usershare allow guests = Yes
+ panic action = /usr/share/samba/panic-action %d
+ idmap config * : backend = tdb
+ include = /etc/samba/smb.conf.%U
ubuntu at trusty-samba-include:~$ echo $?
0
-
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result
of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Samba refuses to start when the smb.conf file contains an include line
with a variable substitution like "include = /etc/samba/smb.conf.%U"
According to the man page for smb.conf, all but a few specific variable
substitutions should work.
include (G)
This allows you to include one config file inside another.
The file is included literally, as though typed in place.
It takes the standard substitutions, except %u, %P and %S.
The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but
instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that
this option automatically activates registry shares.
Default: include =
Example: include = /usr/local/samba/lib/admin_smb.conf
It is probably related to this bug in samba:
https://bugzilla.samba.org/show_bug.cgi?id=10722
Description: Ubuntu 16.04 LTS
Release: 16.04
samba:
Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Version table:
*** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500
500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
2:4.3.8+dfsg-0ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
** Description changed:
[Impact]
Samba in AD mode refuses to start when the smb.conf file contains an
include line with a variable substitution like "include =
/etc/samba/smb.conf.%U"
This happens because the initscript calls "samba-tool testparm" to
obtain a configuration parameter from smb.conf, and this testparm tool
- fails because it doesn't expand the %U macro and fails to read
- "/etc/samba/smb.conf." (note the ending dot).
+ fails because it doesn't expand the %U macro and fails to read the
+ literal filename.
Note that "samba-tool testparm" is different from just "testparm". The
latter doesn't fail. We could just replace one with the other in the
initscript, but later on in the process of provisioning an AD controller
this error is encountered again, so it's best to fix it properly.
The patch is straight from an upstream commit, and that code is in place
in the samba packages from bionic and cosmic already.
[Test Case]
* install samba:
sudo apt install samba
* create /etc/samba/smb.conf with this content:
[global]
netbios name = samba
log file = /var/log/samba/log.%m
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
server string = %h server (Samba, Ubuntu)
unix password sync = Yes
usershare allow guests = Yes
idmap config * : backend = tdb
include = /etc/samba/smb.conf.%U
* run the command that fails:
- ubuntu at trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt
+ ubuntu at trusty-samba-include:~$ sudo samba-tool testparm -d 2
+ lpcfg_load: refreshing parameters from /etc/samba/smb.conf
+ Can't find include file /etc/samba/smb.conf.%U
ERROR: Unable to load default file
ubuntu at trusty-samba-include:~$ echo $?
255
+ Note the debug level 2 message saying the include file couldn't be
+ found.
+
* install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file.
- ubuntu at trusty-samba-include:~$ sudo samba-tool testparm --suppress-prompt
+ ubuntu at trusty-samba-include:~$ sudo samba-tool testparm -d 2 --suppress-prompt
+ lpcfg_load: refreshing parameters from /etc/samba/smb.conf
+ Tried to load /etc/samba/smb.conf.%U but variable substitution in filename, ignoring file.
# Global parameters
[global]
- netbios name = SAMBA
- server string = %h server (Samba, Ubuntu)
- map to guest = Bad User
- obey pam restrictions = Yes
- pam password change = Yes
- passwd program = /usr/bin/passwd %u
- passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
- unix password sync = Yes
- log file = /var/log/samba/log.%m
- max log size = 1000
- usershare allow guests = Yes
- panic action = /usr/share/samba/panic-action %d
- idmap config * : backend = tdb
- include = /etc/samba/smb.conf.%U
+ netbios name = SAMBA
+ server string = %h server (Samba, Ubuntu)
+ map to guest = Bad User
+ obey pam restrictions = Yes
+ pam password change = Yes
+ passwd program = /usr/bin/passwd %u
+ passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+ unix password sync = Yes
+ log level = 2
+ log file = /var/log/samba/log.%m
+ max log size = 1000
+ usershare allow guests = Yes
+ panic action = /usr/share/samba/panic-action %d
+ idmap config * : backend = tdb
+ include = /etc/samba/smb.conf.%U
ubuntu at trusty-samba-include:~$ echo $?
0
+ We can also see the new debugging message saying that the include file
+ was ignored because of the variable substitution.
+
+
[Regression Potential]
-
- * discussion of how regressions are most likely to manifest as a result
- of this change.
-
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ If you happen to include a filename that has an actual "%" in its name, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Samba refuses to start when the smb.conf file contains an include line
with a variable substitution like "include = /etc/samba/smb.conf.%U"
According to the man page for smb.conf, all but a few specific variable
substitutions should work.
include (G)
This allows you to include one config file inside another.
The file is included literally, as though typed in place.
It takes the standard substitutions, except %u, %P and %S.
The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but
instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that
this option automatically activates registry shares.
Default: include =
Example: include = /usr/local/samba/lib/admin_smb.conf
It is probably related to this bug in samba:
https://bugzilla.samba.org/show_bug.cgi?id=10722
Description: Ubuntu 16.04 LTS
Release: 16.04
samba:
Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Version table:
*** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500
500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
2:4.3.8+dfsg-0ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
** Description changed:
[Impact]
Samba in AD mode refuses to start when the smb.conf file contains an
include line with a variable substitution like "include =
/etc/samba/smb.conf.%U"
This happens because the initscript calls "samba-tool testparm" to
obtain a configuration parameter from smb.conf, and this testparm tool
fails because it doesn't expand the %U macro and fails to read the
literal filename.
Note that "samba-tool testparm" is different from just "testparm". The
latter doesn't fail. We could just replace one with the other in the
initscript, but later on in the process of provisioning an AD controller
this error is encountered again, so it's best to fix it properly.
The patch is straight from an upstream commit, and that code is in place
in the samba packages from bionic and cosmic already.
[Test Case]
* install samba:
sudo apt install samba
* create /etc/samba/smb.conf with this content:
[global]
netbios name = samba
log file = /var/log/samba/log.%m
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
server string = %h server (Samba, Ubuntu)
unix password sync = Yes
usershare allow guests = Yes
idmap config * : backend = tdb
include = /etc/samba/smb.conf.%U
* run the command that fails:
ubuntu at trusty-samba-include:~$ sudo samba-tool testparm -d 2
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Can't find include file /etc/samba/smb.conf.%U
ERROR: Unable to load default file
ubuntu at trusty-samba-include:~$ echo $?
255
Note the debug level 2 message saying the include file couldn't be
found.
* install the updated packages and run the same command again. This time it will work, exit with status 0, and show the main config file.
ubuntu at trusty-samba-include:~$ sudo samba-tool testparm -d 2 --suppress-prompt
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Tried to load /etc/samba/smb.conf.%U but variable substitution in filename, ignoring file.
# Global parameters
[global]
- netbios name = SAMBA
- server string = %h server (Samba, Ubuntu)
- map to guest = Bad User
- obey pam restrictions = Yes
- pam password change = Yes
- passwd program = /usr/bin/passwd %u
- passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
- unix password sync = Yes
- log level = 2
- log file = /var/log/samba/log.%m
- max log size = 1000
- usershare allow guests = Yes
- panic action = /usr/share/samba/panic-action %d
- idmap config * : backend = tdb
- include = /etc/samba/smb.conf.%U
+ netbios name = SAMBA
+ server string = %h server (Samba, Ubuntu)
+ map to guest = Bad User
+ obey pam restrictions = Yes
+ pam password change = Yes
+ passwd program = /usr/bin/passwd %u
+ passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
+ unix password sync = Yes
+ log level = 2
+ log file = /var/log/samba/log.%m
+ max log size = 1000
+ usershare allow guests = Yes
+ panic action = /usr/share/samba/panic-action %d
+ idmap config * : backend = tdb
+ include = /etc/samba/smb.conf.%U
ubuntu at trusty-samba-include:~$ echo $?
0
We can also see the new debugging message saying that the include file
was ignored because of the variable substitution.
-
[Regression Potential]
- If you happen to include a filename that has an actual "%" in its name, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though.
+ If you happen to include a filename that has an actual "%" in its name, not followed by a letter, and it doesn't exist, this patch will not flag that as an error and just ignore it, whereas before it would be flagged. Having such a filename is asking for trouble, though.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Samba refuses to start when the smb.conf file contains an include line
with a variable substitution like "include = /etc/samba/smb.conf.%U"
According to the man page for smb.conf, all but a few specific variable
substitutions should work.
include (G)
This allows you to include one config file inside another.
The file is included literally, as though typed in place.
It takes the standard substitutions, except %u, %P and %S.
The parameter include = registry has a special meaning: It does not include a file named registry from the current working directory, but
instead reads the global configuration options from the registry. See the section on registry-based configuration for details. Note that
this option automatically activates registry shares.
Default: include =
Example: include = /usr/local/samba/lib/admin_smb.conf
It is probably related to this bug in samba:
https://bugzilla.samba.org/show_bug.cgi?id=10722
Description: Ubuntu 16.04 LTS
Release: 16.04
samba:
Installed: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Candidate: 2:4.3.9+dfsg-0ubuntu0.16.04.1
Version table:
*** 2:4.3.9+dfsg-0ubuntu0.16.04.1 500
500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
2:4.3.8+dfsg-0ubuntu1 500
500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1583324
Title:
Samba won't start when an include statement in smb.conf has a variable
substitution
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1583324/+subscriptions
More information about the Ubuntu-server-bugs
mailing list