Merge pull request #21 from blubber/make-cve-2017-7494-mitigation-optional

Add config flag to disable CVE-2017-7494 mitigation
2018-05-19 23:21:12 +02:00 · 2018-05-19 23:21:12 +02:00 · e2732e4263
commit e2732e4263
parent 3cb311356e b006670615
3 changed files with 27 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -42,6 +42,7 @@ No specific requirements
 | `samba_log`                    | -                        | Set the log file. If left undefined, logging is done through syslog.     |
 | `samba_log_size`               | 5000                     | Set the maximum size of the log file.                                    |
 | `samba_map_to_guest`           | `bad user`               | Behaviour when unregistered users access the shares.                     |
+| `samba_mitigate_cve_2017_7494` | true                     | CVE-2017-7494 mitigation breaks some clients, such as macOS High Sierra. |
 | `samba_netbios_name`           | `{{ ansible_hostname }}` | The NetBIOS name of this server.                                         |
 | `samba_passdb_backend`         | `tdbsam`                 | Password database backend.                                               |
 | `samba_realm`                  | -                        | Realm domain name                                                        |
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -19,3 +19,4 @@ samba_wins_support: yes
 samba_local_master: yes
 samba_domain_master: yes
 samba_preferred_master: yes
+samba_mitigate_cve_2017_7494: true
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@ -48,9 +48,11 @@ server string = {{ samba_server_string }}
  disable spoolss = yes
 {% endif %}

+{% if samba_mitigate_cve_2017_7494 %}
  # Fix for CVE-2017-7494
  # https://access.redhat.com/security/cve/cve-2017-7494
  nt pipe support = no
+{% endif %}

 {% if samba_load_homes %}
 ## Make home directories accessible