On Wed, Apr 13, 2016 at 11:45 PM, ~Stack~ <[log in to unmask]> wrote:
>
> I am running SL6 on my Samba servers. I am in an environment where I am
> required to apply security patches daily. Yum auto updates nearly all
> security patches for me every morning (only a few things like the kernel
> are excluded).
>
> This morning we went from 3.6.23-25 to 3.6.23-30. Every thing broke. Not
> a single server works.
>
> Short recap that proves it is the update.
> $ # restore everything from backup server
> $ service nmb start; service smb start
> $ # everything works.
> $ service nmb stop; service smb stop
> $ yum update -y --security --exclude=kernel*
> # updates just 5 packages: samba, samba-client,
> # samba-common, samba-winbind, and samba-winbind-clients
> $ service nmb start; service smb start
> # Nothing works.
> $ service nmb stop; service smb stop
> $ yum history undo $lastversion
> $ service nmb start; service smb start
> # Everything works again.
>
> There is really not much in the logs at all from smb/nmb as to what is
> going wrong. The client just gets a strange error about permissions
> denied. However, in the log file for the client, we see things like
> "Domain password server not available". There are occasional messages in
> nmb logs about "current master browser = UNKNOWN" and
> "find_domain_master_name_query_fail" but they are not easily reproducible.
>
> 1) It is amazing how many questions on the samba list don't get responses...
>
> 2) The vast majority of the responses I found on line didn't seem to work.
>
> At one point, I scrapped my entire smb.conf file, wiped samba, and
> restarted with the smb.conf file the new RPM provided. I still couldn't
> get clients to connect.
>
> Here is my smb.conf file that I restored from last night. It has been
> working since May of 2014.
>
> [global]
> workgroup = MYWORKGROUP
> server string = hostname
> netbios name = hostname
> log file = /var/log/samba/log.%m
> max log size = 50
> security = domain
> password server = my.primary.domain.server
> preferred master = no
> wins support = no
> wins server = my.primary.domain.server
> wins proxy = yes
> dns proxy = yes
> load printers = yes
> cups option = raw
> restrict anonymous = 1
> smb ports = 139
> [homes]
> comment = Home Directories
> browsable = no
> writeable = yes
> valid users = %S
>
> [ yes I know I am not supposed to use security=domain with password
> server, but it works. Modifying either seems to make it not work]
>
> Anyone else have horrific issues with this update??

I haven't updated samba on SL or any other distro but I wonder whether
this is reason:

o  CVE-2016-2111:

   It's basically the same as CVE-2015-0005 for Windows:

     The NETLOGON service in Microsoft Windows Server 2003 SP2,
     Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
     and R2, when a Domain Controller is configured, allows remote
     attackers to spoof the computer name of a secure channel's
     endpoint, and obtain sensitive session information, by running a
     crafted application and leveraging the ability to sniff network
     traffic, aka "NETLOGON Spoofing Vulnerability".

   The vulnerability in Samba is worse as it doesn't require
   credentials of a computer account in the domain.

   This only applies to Samba running as classic primary domain controller,
   classic backup domain controller or active directory domain controller.

   The security patches introduce a new option called "raw NTLMv2 auth"
   ("yes" or "no") for the [global] section in smb.conf.
   Samba (the smbd process) will reject client using raw NTLMv2
   without using NTLMSSP.

   Note that this option also applies to Samba running as
   standalone server and member server.

   You should also consider using "lanman auth = no" (which is already
the default)
   and "ntlm auth = no". Have a look at the smb.conf manpage for
further details,
   as they might impact compatibility with older clients. These also
   apply for all server roles.