From b0066706154ca57af4739bba9324a581f3e5c08e Mon Sep 17 00:00:00 2001 From: Tiemo Kieft Date: Mon, 25 Dec 2017 08:51:53 +0100 Subject: [PATCH] Add flag to disable CVE-2017-7494 mitigation Setting "nt pipe support = no" seems to break macOS High Sierra clients. --- README.md | 47 ++++++++++++++++++++++--------------------- defaults/main.yml | 1 + templates/smb.conf.j2 | 2 ++ 3 files changed, 27 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index e793048..26a1cb3 100644 --- a/README.md +++ b/README.md @@ -33,29 +33,30 @@ No specific requirements ## Role Variables -| Variable | Default | Comments | -| :--- | :--- | :--- | -| `samba_create_varwww_symlinks` | false | When true, symlinks are created in `/var/www/html` to the shares. | -| `samba_interfaces` | [] | List of network interfaces used for browsing, name registration, etc. | -| `samba_load_homes` | false | When true, user home directories are accessible. | -| `samba_load_printers` | false | When true, printers attached to the host are shared | -| `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. | -| `samba_log_size` | 5000 | Set the maximum size of the log file. | -| `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. | -| `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. | -| `samba_passdb_backend` | `tdbsam` | Password database backend. | -| `samba_realm` | - | Realm domain name | -| `samba_security` | `user` | Samba security setting | -| `samba_server_string` | `fileserver %m` | Comment string for the server. | -| `samba_shares` | [] | List of dicts containing share definitions. See below for details. | -| `samba_shares_root` | `/srv/shares` | Directories for the shares are created under this directory. | -| `samba_users` | [] | List of dicts defining users that can access shares. | -| `samba_workgroup` | `WORKGROUP` | Name of the server workgroup. | -| `samba_guest_account` | - | Guest account for unknown users | -| `samba_wins_support` | true | When true, Samba will act as a WINS server | -| `samba_local_master` | true | When true, nmbd will try & become local master of the subnet | -| `samba_domain_master` | true | When true, smbd enables WAN-wide browse list collation | -| `samba_preferred_master` | true | When true, indicates nmbd is a preferred master browser for workgroup | +| Variable | Default | Comments | +| :--- | :--- | :--- | +| `samba_create_varwww_symlinks` | false | When true, symlinks are created in `/var/www/html` to the shares. | +| `samba_interfaces` | [] | List of network interfaces used for browsing, name registration, etc. | +| `samba_load_homes` | false | When true, user home directories are accessible. | +| `samba_load_printers` | false | When true, printers attached to the host are shared | +| `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. | +| `samba_log_size` | 5000 | Set the maximum size of the log file. | +| `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. | +| `samba_mitigate_cve_2017_7494` | true | CVE-2017-7494 mitigation breaks some clients, such as macOS High Sierra. | +| `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. | +| `samba_passdb_backend` | `tdbsam` | Password database backend. | +| `samba_realm` | - | Realm domain name | +| `samba_security` | `user` | Samba security setting | +| `samba_server_string` | `fileserver %m` | Comment string for the server. | +| `samba_shares` | [] | List of dicts containing share definitions. See below for details. | +| `samba_shares_root` | `/srv/shares` | Directories for the shares are created under this directory. | +| `samba_users` | [] | List of dicts defining users that can access shares. | +| `samba_workgroup` | `WORKGROUP` | Name of the server workgroup. | +| `samba_guest_account` | - | Guest account for unknown users | +| `samba_wins_support` | true | When true, Samba will act as a WINS server | +| `samba_local_master` | true | When true, nmbd will try & become local master of the subnet | +| `samba_domain_master` | true | When true, smbd enables WAN-wide browse list collation | +| `samba_preferred_master` | true | When true, indicates nmbd is a preferred master browser for workgroup | ### Defining users diff --git a/defaults/main.yml b/defaults/main.yml index 98b977b..c786d30 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,3 +19,4 @@ samba_wins_support: yes samba_local_master: yes samba_domain_master: yes samba_preferred_master: yes +samba_mitigate_cve_2017_7494: true diff --git a/templates/smb.conf.j2 b/templates/smb.conf.j2 index a0109f9..816386e 100755 --- a/templates/smb.conf.j2 +++ b/templates/smb.conf.j2 @@ -48,9 +48,11 @@ server string = {{ samba_server_string }} disable spoolss = yes {% endif %} +{% if samba_mitigate_cve_2017_7494 %} # Fix for CVE-2017-7494 # https://access.redhat.com/security/cve/cve-2017-7494 nt pipe support = no +{% endif %} {% if samba_load_homes %} ## Make home directories accessible