ansible-roles/ansible-role-samba
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add flag to disable CVE-2017-7494 mitigation

Browse Source 
Setting "nt pipe support = no" seems to break macOS High Sierra
clients.
This commit is contained in:
Tiemo Kieft 2017-12-25 08:51:53 +01:00
parent 4add05ac71
commit b006670615
No known key found for this signature in database
GPG Key ID: 91A2E4A5F44B310E
3 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
README.md
View File

@ -33,29 +33,30 @@ No specific requirements
## Role Variables ## Role Variables
| Variable | Default | Comments | | Variable | Default | Comments |
| :--- | :--- | :--- | | :--- | :--- | :--- |
| `samba_create_varwww_symlinks` | false | When true, symlinks are created in `/var/www/html` to the shares. | | `samba_create_varwww_symlinks` | false | When true, symlinks are created in `/var/www/html` to the shares. |
| `samba_interfaces` | [] | List of network interfaces used for browsing, name registration, etc. | | `samba_interfaces` | [] | List of network interfaces used for browsing, name registration, etc. |
| `samba_load_homes` | false | When true, user home directories are accessible. | | `samba_load_homes` | false | When true, user home directories are accessible. |
| `samba_load_printers` | false | When true, printers attached to the host are shared | | `samba_load_printers` | false | When true, printers attached to the host are shared |
| `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. | | `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. |
| `samba_log_size` | 5000 | Set the maximum size of the log file. | | `samba_log_size` | 5000 | Set the maximum size of the log file. |
| `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. | | `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. |
| `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. | | `samba_mitigate_cve_2017_7494` | true | CVE-2017-7494 mitigation breaks some clients, such as macOS High Sierra. |
| `samba_passdb_backend` | `tdbsam` | Password database backend. | | `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. |
| `samba_realm` | - | Realm domain name | | `samba_passdb_backend` | `tdbsam` | Password database backend. |
| `samba_security` | `user` | Samba security setting | | `samba_realm` | - | Realm domain name |
| `samba_server_string` | `fileserver %m` | Comment string for the server. | | `samba_security` | `user` | Samba security setting |
| `samba_shares` | [] | List of dicts containing share definitions. See below for details. | | `samba_server_string` | `fileserver %m` | Comment string for the server. |
| `samba_shares_root` | `/srv/shares` | Directories for the shares are created under this directory. | | `samba_shares` | [] | List of dicts containing share definitions. See below for details. |
| `samba_users` | [] | List of dicts defining users that can access shares. | | `samba_shares_root` | `/srv/shares` | Directories for the shares are created under this directory. |
| `samba_workgroup` | `WORKGROUP` | Name of the server workgroup. | | `samba_users` | [] | List of dicts defining users that can access shares. |
| `samba_guest_account` | - | Guest account for unknown users | | `samba_workgroup` | `WORKGROUP` | Name of the server workgroup. |
| `samba_wins_support` | true | When true, Samba will act as a WINS server | | `samba_guest_account` | - | Guest account for unknown users |
| `samba_local_master` | true | When true, nmbd will try & become local master of the subnet | | `samba_wins_support` | true | When true, Samba will act as a WINS server |
| `samba_domain_master` | true | When true, smbd enables WAN-wide browse list collation | | `samba_local_master` | true | When true, nmbd will try & become local master of the subnet |
| `samba_preferred_master` | true | When true, indicates nmbd is a preferred master browser for workgroup | | `samba_domain_master` | true | When true, smbd enables WAN-wide browse list collation |
| `samba_preferred_master` | true | When true, indicates nmbd is a preferred master browser for workgroup |
### Defining users ### Defining users

1
defaults/main.yml
View File

@ -19,3 +19,4 @@ samba_wins_support: yes
samba_local_master: yes samba_local_master: yes
samba_domain_master: yes samba_domain_master: yes
samba_preferred_master: yes samba_preferred_master: yes
samba_mitigate_cve_2017_7494: true

2
templates/smb.conf.j2
View File

@ -48,9 +48,11 @@ server string = {{ samba_server_string }}
disable spoolss = yes disable spoolss = yes
{% endif %} {% endif %}
{% if samba_mitigate_cve_2017_7494 %}
# Fix for CVE-2017-7494 # Fix for CVE-2017-7494
# https://access.redhat.com/security/cve/cve-2017-7494 # https://access.redhat.com/security/cve/cve-2017-7494
nt pipe support = no nt pipe support = no
{% endif %}
{% if samba_load_homes %} {% if samba_load_homes %}
## Make home directories accessible ## Make home directories accessible