Skip to content
Commits on Source (3)
Show whitespace changes
Inline Side-by-side
debian/changelog
View file @ 49b1cb0b
samba (2:4.8.0+dfsg-2) UNRELEASED; urgency=medium
* Remove unused and outdated debian/README.debian (debian/README.Debian is
used instead)
* Mask services as appropriate in samba and winbind postinst (Closes: #863285)
- mask samba-ad-dc unless server role = active directory domain controller
(as before)
- mask smbd and nmbd when server role = active directory domain controller
- mask nmbd when disable netbios = yes (Closes: #866125)
* Set smbspool_krb5_wrapper permissions to 0700 (Closes: #894720, #372270)
-- Mathieu Parent <sathieu@debian.org> Sat, 07 Apr 2018 11:56:32 +0200
samba (2:4.8.0+dfsg-1) experimental; urgency=medium
[ Mathieu Parent ]
......
debian/rules
View file @ 49b1cb0b
......@@ -218,6 +218,9 @@ endif
ifneq (,$(filter samba, $(shell dh_listpackages)))
chmod 1777 debian/samba/var/spool/samba/
endif
ifneq (,$(filter smbclient, $(shell dh_listpackages)))
chmod 0700 debian/smbclient/usr/lib/*/samba/smbspool_krb5_wrapper
endif
override_dh_missing:
dh_missing --fail-missing
......
debian/samba.postinst
View file @ 49b1cb0b
#!/bin/sh
#
# Post-installation script for the Samba package for Debian GNU/Linux
#
#
set -e
mask_services() {
local reason="$1"
shift
local masked_count=0
mkdir -p /etc/systemd/system
echo "${reason}: Masking $*"
echo "Please ignore the following error about deb-systemd-helper not finding those services."
while true; do
local service_name="$1"
if [ -z "$service_name" ]; then
break
fi
shift
if [ ! -e "/etc/systemd/system/${service_name}" ]; then
ln -s /dev/null "/etc/systemd/system/${service_name}"
echo "(${service_name} masked)"
masked_count=$((masked_count+1))
elif [ -h "/etc/systemd/system/${service_name}" ] \
&& [ "$(realpath /etc/systemd/system/${service_name})" = /dev/null ] \
; then
echo "(${service_name} already masked)"
else
echo "WARNING ${service_name} should be masked. The install may fail."
fi
done
# In case this system is running systemd, we make systemd reload the unit files
# to pick up changes.
if [ "${masked_count}" -ge 1 -a -d /run/systemd/system ] ; then
systemctl --system daemon-reload >/dev/null || true
fi
}
# We generate several files during the postinst, and we don't want
# them to be readable only by root.
umask 022
......@@ -36,31 +64,28 @@ then
fi
# mimic source4/smbd/server.c and mask service before it fails
# NB: server role = active directory domain controller is what we need to properly support
# NB: server services = smb is not compiled in
# NB: dcerpc endpoint servers = remote is for developpement
# NB: dcerpc endpoint servers = mapiproxy is for OpenChange which is dead
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
SERVER_SERVICES=`samba-tool testparm --parameter-name="server services" 2>/dev/null | tail -1`
DCERPC_ENDPOINT_SERVERS=`samba-tool testparm --parameter-name="dcerpc endpoint servers" 2>/dev/null | tail -1`
DISABLE_NETBIOS=`samba-tool testparm --parameter-name="disable netbios" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" != "active directory domain controller" ] \
&& ( echo "$SERVER_SERVICES" | grep -qv '\(^\|, \)smb\(,\|$\)' ) \
&& ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)remote\(,\|$\)' ) \
&& ( echo "$DCERPC_ENDPOINT_SERVERS" | grep -qv '\(^\|, \)mapiproxy\(,\|$\)' ) \
; then
if [ ! -e /etc/systemd/system/samba-ad-dc.service ]; then
mkdir -p /etc/systemd/system
echo "Samba is not being run as an AD Domain Controller, masking samba-ad-dc.service."
echo "Please ignore the following error about deb-systemd-helper not finding samba-ad-dc.service."
ln -s /dev/null /etc/systemd/system/samba-ad-dc.service
# In case this system is running systemd, we make systemd reload the unit files
# to pick up changes.
if [ -d /run/systemd/system ] ; then
systemctl --system daemon-reload >/dev/null || true
fi
elif [ -h /etc/systemd/system/samba-ad-dc.service ] \
&& [ "`realpath /etc/systemd/system/samba-ad-dc.service`" = /dev/null ] \
; then
echo "Samba is not being run as an AD Domain Controller."
echo "Please ignore the following error about deb-systemd-helper not finding samba-ad-dc.service."
mask_services "Samba is not being run as an AD Domain Controller" samba-ad-dc.service
fi
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
mask_services "Samba is being run as an AD Domain Controller" smbd.service nmbd.service
elif [ "$DISABLE_NETBIOS" = Yes ]; then
mask_services "NetBIOS is disabled" nmbd.service
fi
#DEBHELPER#
exit 0
debian/winbind.postinst
View file @ 49b1cb0b
......@@ -2,6 +2,38 @@
set -e
mask_services() {
local reason="$1"
shift
local masked_count=0
mkdir -p /etc/systemd/system
echo "${reason}: Masking $*"
echo "Please ignore the following error about deb-systemd-helper not finding those services."
while true; do
local service_name="$1"
if [ -z "$service_name" ]; then
break
fi
shift
if [ ! -e "/etc/systemd/system/${service_name}" ]; then
ln -s /dev/null "/etc/systemd/system/${service_name}"
echo "(${service_name} masked)"
masked_count=$((masked_count+1))
elif [ -h "/etc/systemd/system/${service_name}" ] \
&& [ "$(realpath /etc/systemd/system/${service_name})" = /dev/null ] \
; then
echo "(${service_name} already masked)"
else
echo "WARNING ${service_name} should be masked. The install may fail."
fi
done
# In case this system is running systemd, we make systemd reload the unit files
# to pick up changes.
if [ "${masked_count}" -ge 1 -a -d /run/systemd/system ] ; then
systemctl --system daemon-reload >/dev/null || true
fi
}
getent group winbindd_priv >/dev/null 2>&1 ||
addgroup --system --force-badname --quiet winbindd_priv
......@@ -10,4 +42,9 @@ mkdir -pv "$winbindd_privileged_socket_directory"
chgrp -c winbindd_priv "$winbindd_privileged_socket_directory"
chmod -c 0750 "$winbindd_privileged_socket_directory"
SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1`
if [ "$SERVER_ROLE" = "active directory domain controller" ]; then
mask_services "Samba is being run as an AD Domain Controller" winbind.service
fi
#DEBHELPER#