Fixing the Reckless Debian Security Update to Samba 4.2

If you’re like me, and were wanting to get the Samba security fixes in place quickly for Debian Jessie version of SAMBA — you’ll maybe have learned that they decided not to backport the fixes for man-in-the-middle, but instead upgrade the whole thing to SAMBA 4.2.

That’s all well and good — but the security update broke SAMBA on my Debian boxes in the test lab (which run Jessie).

The fix was pretty simple after some fairly serious wasted time Googling for it. By default, it SAMBA will now require the winbind package to be installed, otherwise it will silently fail to start.

The symptom I had was that internal DNS resolution for SAMBA stopped working.  And nothing was bound to port 53.

Of course, that was because Samba wasn’t starting at all.

I hope that helps someone — just make sure winbind is installed and running.

They really should have tested this better, even with such a bad flaw in the Microsoft and Samba stuff.

6 thoughts on “Fixing the Reckless Debian Security Update to Samba 4.2”

  1. Thanks for the notice. I ran into the same thing on my new build and definitely needed winbind running in order for the latest release of Samba to behave properly.

    1. It’s kinda weird they put in that dependency — not sure why we’d need it on and domain controller, but what the hay. Would have been nice to have that dependency built into the update! 🙂

  2. Thanks Mark. You were the first person I found that covered this. I am using Linux Mint clients connecting to a Debian server and installing winbind (as I might have imagined) did not solve the issue. However, thanks for posting this. Very useful info to explain how Samba broke my shares!

    1. So what happened with your Sarah? Did the whole server stop working, or just shares stopped being accessible? In the case here, the whole server wouldn’t start any more because winbind wasn’t installed.

      I really don’t know if Samba and Microsoft’s Active Directory is worth the headache it brings. I’m beginning to think it’s not for unix-based clients any more. But unfortunately, as usual, the Microsoft customers have little choice.

      1. No it was just the shares that stopped working. I am not sure what finally fixed it in the end and I found a couple of articles that helped as I did get it sorted. (http://askubuntu.com/questions/109507/smbclient-getting-nt-status-logon-failure-connecting-to-windows-box). I also rechecked the config using this article ( https://www.lisenet.com/2014/install-and-configure-samba-server-on-debian-wheezy/ ) just to make sure I had not missed anything originally (even though it was working fine before the Samba update).

        On the plus side, installing winbind solved an issue I had with share connections from a Win 7 VM that was not working, so thanks for that reminder. Was a bit annoyed that I had not realised it needed winbind in the first place!

        Thanks for posting this Mark as although installing winbind on its own did not fix it for me, I am sure it was a contributing factor.

        1. Ha! Well, the best part is it’s working now! 🙂 And, you’re welcome – and thank YOU Sarah. 🙂

          With winbindd, just be sure it gets included in your /etc/nsswitch.conf file for lookups. I think they may add it there by default now though. And if you’re getting a good list of users from the “active directory” server, I’m pretty sure it’s included there already. That used to be what I’d always forget.

Leave a Reply

Your email address will not be published. Required fields are marked *