Merge pull request #21 from blubber/make-cve-2017-7494-mitigation-optional

Add config flag to disable CVE-2017-7494 mitigation
This commit is contained in:
Bert Van Vreckem 2018-05-19 23:21:12 +02:00 committed by GitHub
commit e2732e4263
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 23 deletions

View File

@ -42,6 +42,7 @@ No specific requirements
| `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. | | `samba_log` | - | Set the log file. If left undefined, logging is done through syslog. |
| `samba_log_size` | 5000 | Set the maximum size of the log file. | | `samba_log_size` | 5000 | Set the maximum size of the log file. |
| `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. | | `samba_map_to_guest` | `bad user` | Behaviour when unregistered users access the shares. |
| `samba_mitigate_cve_2017_7494` | true | CVE-2017-7494 mitigation breaks some clients, such as macOS High Sierra. |
| `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. | | `samba_netbios_name` | `{{ ansible_hostname }}` | The NetBIOS name of this server. |
| `samba_passdb_backend` | `tdbsam` | Password database backend. | | `samba_passdb_backend` | `tdbsam` | Password database backend. |
| `samba_realm` | - | Realm domain name | | `samba_realm` | - | Realm domain name |

View File

@ -19,3 +19,4 @@ samba_wins_support: yes
samba_local_master: yes samba_local_master: yes
samba_domain_master: yes samba_domain_master: yes
samba_preferred_master: yes samba_preferred_master: yes
samba_mitigate_cve_2017_7494: true

View File

@ -48,9 +48,11 @@ server string = {{ samba_server_string }}
disable spoolss = yes disable spoolss = yes
{% endif %} {% endif %}
{% if samba_mitigate_cve_2017_7494 %}
# Fix for CVE-2017-7494 # Fix for CVE-2017-7494
# https://access.redhat.com/security/cve/cve-2017-7494 # https://access.redhat.com/security/cve/cve-2017-7494
nt pipe support = no nt pipe support = no
{% endif %}
{% if samba_load_homes %} {% if samba_load_homes %}
## Make home directories accessible ## Make home directories accessible