Add flag to disable CVE-2017-7494 mitigation

Setting "nt pipe support = no" seems to break macOS High Sierra clients.
2017-12-25 08:51:53 +01:00 · 2017-12-25 08:51:53 +01:00 · b006670615
commit b006670615
parent 4add05ac71
3 changed files with 27 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -42,6 +42,7 @@ No specific requirements
 | `samba_log`                    | -                        | Set the log file. If left undefined, logging is done through syslog.     |
 | `samba_log_size`               | 5000                     | Set the maximum size of the log file.                                    |
 | `samba_map_to_guest`           | `bad user`               | Behaviour when unregistered users access the shares.                     |
+| `samba_mitigate_cve_2017_7494` | true                     | CVE-2017-7494 mitigation breaks some clients, such as macOS High Sierra. |
 | `samba_netbios_name`           | `{{ ansible_hostname }}` | The NetBIOS name of this server.                                         |
 | `samba_passdb_backend`         | `tdbsam`                 | Password database backend.                                               |
 | `samba_realm`                  | -                        | Realm domain name                                                        |
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -19,3 +19,4 @@ samba_wins_support: yes
 samba_local_master: yes
 samba_domain_master: yes
 samba_preferred_master: yes
+samba_mitigate_cve_2017_7494: true
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@ -48,9 +48,11 @@ server string = {{ samba_server_string }}
  disable spoolss = yes
 {% endif %}

+{% if samba_mitigate_cve_2017_7494 %}
  # Fix for CVE-2017-7494
  # https://access.redhat.com/security/cve/cve-2017-7494
  nt pipe support = no
+{% endif %}

 {% if samba_load_homes %}
 ## Make home directories accessible