We will NOT be producing a badlock patch for ClearOS 5. ClearOS 5 is EOL since last December. If you are running ClearOS 5 now is a good time to upgrade. If you have a qualifying license for ClearOS 6 or 7, the engineers at ClearCenter can upgrade your configuration settings to retain your directory, users, and many settings. It can take 2 business days typically to upgrade your configuration backup to a modern version. If they get an influx it can take a little longer.

Q: What can I do to protect my system running ClearOS 5 from Badlock while I wait or work on my update to a newer version of ClearOS?

A: The Badlock bug affects the protocol used by the CIFS protocol. To prevent compromise stop and disable your Samba stack:

service smb stop
service nmb stop
service winbind stop
chkconfig smb off
chkconfig nmb off
chkconfig winbind off

If you insist on running ClearOS 5 with the badlock bug, be advised that ClearOS, by default, firewalls these ports to the outside world and this bug will not have a Internet-based exploit on a properly configured ClearOS 5 machine. However, your LAN will be subject to compromised data should any local user or local virus or trojan decide to explore and exploit the bug.

You can monitor the status of Bad Lock (CVE-2016-2118) here:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2118

ClearCenter's official response to Bad Lock will be listed here as the bug is resolved:

https://www.clearos.com/resources/documentation/clearos/content:en_us:announcements_cve_cve-2016-2118

If you are interested, you can watch the build process here:

http://koji.clearos.com/koji/clearos/index

Currently we have the main packages but not some of the dependencies to build the 7 version.

So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.

Thanks,
Mike

Mike Edwards wrote:

So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.

There was an end user on the samba-technical mailing list reporting the same problem. I have no idea if it's a good one, but his solution was to change the following smb.conf parameters in the global section:

client signing = required

server signing = auto

Important note: you should not yet have seen the Badlock Samba updates on a ClearOS box! There are only two ways to get the update:

- Through the "clearos-updates-testing" repository. These updates were pushed through over the last 12 hours but the repo is disabled by default.
- Directly through the CentOS repository. The update was pushed out around 2 a.m. Eastern, but this repo (called "centos-unverified") is disabled by default.

As of the last few weeks, the default repository policies were changed in ClearOS. We shipped 6.7 and 7.2 with ClearOS pointing directly to the CentOS repos, but we have since pushed an update out so that ClearOS points to mirrors that we maintain. We keep these mirrors 1-7 days behind upstream CentOS just for this kind of reason -- an upstream update can occasionally cause a lot of grief. Perhaps your system did not have this ClearOS update installed and the old mirror policy was still in place?

Edit: 6.8 -> 6.7

Peter Baldwin wrote:

Mike Edwards wrote:

So the samba updates this morning borked our ClearOS 6 Business PDC, causing machine trust accounts to fail. Is this a known issue? I can't get anyone on the phone and my support ticket has not been responded to yet.

There was an end user on the samba-technical mailing list reporting the same problem. I have no idea if it's a good one, but his solution was to change the following smb.conf parameters in the global section:

client signing = required

server signing = auto

Important note: you should not yet have seen the Badlock Samba updates on a ClearOS box! There are only two ways to get the update:

- Through the "clearos-updates-testing" repository. These updates were pushed through over the last 12 hours but the repo is disabled by default.
- Directly through the CentOS repository. The update was pushed out around 2 a.m. Eastern, but this repo (called "centos-unverified") is disabled by default.

As of the last few weeks, the default repository policies were changed in ClearOS. We shipped 6.7 and 7.2 with ClearOS pointing directly to the CentOS repos, but we have since pushed an update out so that ClearOS points to mirrors that we maintain. We keep these mirrors 1-7 days behind upstream CentOS just for this kind of reason -- an upstream update can occasionally cause a lot of grief. Perhaps your system did not have this ClearOS update installed and the old mirror policy was still in place?

Edit: 6.8 -> 6.7

Thanks for the info! Both of those repos are indeed disabled so I wonder if we still got the update straight from CentOS.

Yeah, we found part of that solution and were able to get most folks logged in by adding "server signing = auto" but still had a few issues like some network shares not being mapped due to "no logon servers found". We did not add the "client signing = required" but maybe that will help.

I have since gotten a response to my ticket and sent some logs. We'll see what they say. I am spinning up a v7 PDC just in case I have to move to it.

Thanks,
Mike

client signing = required
server signing = auto

This worked in our installation for machines that simple couldn't connect after the update; however, we had one Windows Server 2012 installation and one Windows 8.1 x64 installation on which I had tried disconnecting from the domain and reconnecting, which failed. It did not resolve problems with these two machines. I was able to use System Restore on the Windows 8.1 machine to go back to an April 11 restore point and connect to the domain. I was then able to update this machine and all is well. Still searching for a solution for the Windows 2012 Server since there is no restore point option. This machine will connect to the domain and shows all other Windows machines on the network, but does not show either of our ClearOS installations. Our main V6.8 server or a V7 test machine. Continuing to research solutions and have an open support ticket. Welcome any ideas from forum members.

If the following command yields a result, you need to remove that line:

[root@server1 ~]# grep "^smb port" /etc/samba/smb.conf

smb ports = 139

Some users have reported errors with ClearOS 6 where their machines picked up an update from the CentOS repo instead of the ClearOS repo. This doesn't normally happen if your server has been regularly updating. Please read this whole post before proceeding with any of the steps. The symptom is that you may have will the following package on your system for ClearOS 6:

3.6.23-30.el6_7

Run this command:

rpm -qi samba

It should yield the following result for ClearOS 6 at this point the following:

Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 25.el6_7 Build Date: Tue 15 Mar 2016 05:25:09 PM CDT

^^^ This is the right one ^^^

vvv This is the wrong one vvv
Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 30.el6_7

If you have the 3.6.23-30 package at this point in time, you will likely have trust issues and an inability to access shares. There will be a proper version in our repos at a later time but at this time there seems to be upstream issues with the badlock patch...which is why we test before generally releasing to community and then we test using the community before going to other versions such as home, professional, and business.

Ok, so if this is what is happening to you then run the following:

yum downgrade libtalloc libtdb libtevent samba samba-client samba-common samba-winbind samba-winbin

d-clients tdb-tools

You should get a similar output. Please compare the versions so you don't go too far back:

=======================================================================================================================

 Package                          Arch              Version                    Repository                         Size

=======================================================================================================================

Downgrading:

 libtalloc                        x86_64            2.0.8-1.v6                 clearos                            21 k

 libtdb                           x86_64            1.2.12-1.v6                clearos                            36 k

 libtevent                        x86_64            0.9.18-3.el6               clearos                            25 k

 samba                            x86_64            3.6.23-25.el6_7            clearos-centos-updates            5.0 M

 samba-client                     x86_64            3.6.23-25.el6_7            clearos-centos-updates             11 M

 samba-common                     x86_64            3.6.23-25.el6_7            clearos-centos-updates             10 M

 samba-winbind                    x86_64            3.6.23-25.el6_7            clearos-centos-updates            2.2 M

 samba-winbind-clients            x86_64            3.6.23-25.el6_7            clearos-centos-updates            2.0 M

 tdb-tools                        x86_64            1.2.12-1.v6                clearos                            24 k



Transaction Summary   

=======================================================================================================================

Downgrade     9 Package(s)

After you have done this, you will need to recover a previous configuration backup that matches this code! If you have already removed a workstation from the domain and rejoined it to the version 30 domain, you will need to disjoin it AGAIN and rejoin it to the new domain. You may also have to reset the winadmin password.

Dave Loper wrote:

Some users have reported errors with ClearOS 6 where their machines picked up an update from the CentOS repo instead of the ClearOS repo. This doesn't normally happen if your server has been regularly updating. Please read this whole post before proceeding with any of the steps. The symptom is that you may have will the following package on your system for ClearOS 6:

3.6.23-30.el6_7

Run this command:

rpm -qi samba

It should yield the following result for ClearOS 6 at this point the following:

Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 25.el6_7 Build Date: Tue 15 Mar 2016 05:25:09 PM CDT

^^^ This is the right one ^^^

vvv This is the wrong one vvv
Name : samba Relocations: (not relocatable)
Version : 3.6.23 Vendor: CentOS
Release : 30.el6_7

If you have the 3.6.23-30 package at this point in time, you will likely have trust issues and an inability to access shares. There will be a proper version in our repos at a later time but at this time there seems to be upstream issues with the badlock patch...which is why we test before generally releasing to community and then we test using the community before going to other versions such as home, professional, and business.

Ok, so if this is what is happening to you then run the following:

yum downgrade libtalloc libtdb libtevent samba samba-client samba-common samba-winbind samba-winbin

d-clients tdb-tools

You should get a similar output. Please compare the versions so you don't go too far back:

=======================================================================================================================

 Package                          Arch              Version                    Repository                         Size

=======================================================================================================================

Downgrading:

 libtalloc                        x86_64            2.0.8-1.v6                 clearos                            21 k

 libtdb                           x86_64            1.2.12-1.v6                clearos                            36 k

 libtevent                        x86_64            0.9.18-3.el6               clearos                            25 k

 samba                            x86_64            3.6.23-25.el6_7            clearos-centos-updates            5.0 M

 samba-client                     x86_64            3.6.23-25.el6_7            clearos-centos-updates             11 M

 samba-common                     x86_64            3.6.23-25.el6_7            clearos-centos-updates             10 M

 samba-winbind                    x86_64            3.6.23-25.el6_7            clearos-centos-updates            2.2 M

 samba-winbind-clients            x86_64            3.6.23-25.el6_7            clearos-centos-updates            2.0 M

 tdb-tools                        x86_64            1.2.12-1.v6                clearos                            24 k



Transaction Summary   

=======================================================================================================================

Downgrade     9 Package(s)

After you have done this, you will need to recover a previous configuration backup that matches this code! If you have already removed a workstation from the domain and rejoined it to the version 30 domain, you will need to disjoin it AGAIN and rejoin it to the new domain. You may also have to reset the winadmin password.

Solved our issue. Thank you for the excellent sleuthing. Can the following lines be safely removed from smb.conf, or do you recommend leaving them in place?

client signing = required
server signing = auto

Also, should

smb ports = 139

be added back, if removed?

I'm glad that worked for you Herm, and thanks for reporting back here as well as in our private discussion.

The line 'smb ports = 139' should ALWAYS be removed.

This is a relic of the 'Simple File Sharing' methodology which was using the SMB protocol. There are a few relevant ports in the old methodology such as 137, 138, and 139. But with the introduction of Windows 2000 came the implementation of port 445 which allows for SMB over TCP/IP without NetBIOS. The problem here for Windows 10 and other patches from Windows is that these older protocols are prone to compromise and so Microsoft is slowly and gradually dropping support for SMB in favor of CIFS. Microsoft isn't alone. The Samba team would love it as well if everyone would update to the newer, more secure protocol.

I've had a lot of support issues with Windows 10 and if this line exists, it is alway problematic because it disables port 445 on Samba.

Mad props to Dave for getting our PDC back up and running--even though he was on very little sleep!

Shout out to Peter Baldwin. He turned the actual solution when I gave him all the data.

According to this Red Hat bug report, a Samba update that addresses the "trust relationship failure" issue is coming.

Can you let us know what is happening on this? It is supposed to be a critical bug (not an issue for me in a domestic environment), but there have been no updates to samba in ClearOS 6.x since 16/03 - a month before the bug was disclosed.

Nick Howitt wrote:

Can you let us know what is happening on this? It is supposed to be a critical bug (not an issue for me in a domestic environment), but there have been no updates to samba in ClearOS 6.x since 16/03 - a month before the bug was disclosed.

Keep an eye on Red Hat's bug report on the matter - https://bugzilla.redhat.com/show_bug.cgi?id=1326918

There were also a bunch of Badlock regression fixes pushed through the Samba project just a few days ago. Here's the mailing list reference: https://lists.samba.org/archive/samba-technical/2016-April/113719.html

Well, a complete month now and we are back to "patch Tuesday" again and........ nothing more....
Last activity on the mailing list Thu Apr 28... patience... patience...

Meanwhile in the black-hat's den....

Hello all,

Just a quick update on this topic. It looks like the issue was resolved upstream for Red Hat 6 - https://rhn.redhat.com/errata/RHBA-2016-0992.html. That Samba update is setting in the ClearOS 6 test repository and will be pushed to updates-testing on Wednesday (if all goes well with testing).

Thanks Peter.

Just wondering what has been happening for the last 3 weeks since the 10th May when that was issued?

And is there a fix for 7 yet?

Malcolm Warwick wrote:

And is there a fix for 7 yet?

Keep an eye on the RHEL 7 updates here - https://rhn.redhat.com/errata/rhel-server-7-errata.html No sign of an update yet.

Thanks Peter

Perhaps I'm not reading this right, but seems to imply this was fixed?
https://rhn.redhat.com/errata/RHSA-2016-0612.html

An update for samba4 and samba is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7, respectively.

Cheers
Malcolm

Hi Malcolm,

Malcolm Warwick wrote:

Thanks Peter

Perhaps I'm not reading this right, but seems to imply this was fixed?
https://rhn.redhat.com/errata/RHSA-2016-0612.html

An update for samba4 and samba is now available for Red Hat Enterprise Linux 6
and Red Hat Enterprise Linux 7, respectively.

Cheers
Malcolm

There was indeed a quick fix for the Badlock issue, but that fix broke certain types of Samba environments. Red Hat has since released a "fix for the fix" in RHEL 6, but nothing has appeared for RHEL 7 yet. Red Hat does a great job at maintaining a stable platform -- it's not easy to do, and they pull it off for thousands of updates. However, this was one of the rare occasions where the fix was not up to par.

Thanks Peter

Hopefully this will be resolved before too long

Quick update -- the Samba "fix for the fix" is on the way to the ClearOS 7 mirrors. Here are the June 23 release notes from Red Hat:

https://rhn.redhat.com/errata/RHBA-2016-1257.html

Thanks Peter... 40 rpms all installed cleanly. As well as samba updates - updated apps, lvm2, device-mapper, kernel and other misc rpms.
Also resolved a version conflict between i686 and x84-64 versions of libldb had lived with waiting for this update...

Hi Tony,

Thanks Peter... 40 rpms all installed cleanly. As well as samba updates - updated apps, lvm2, device-mapper, kernel and other misc rpms.
Also resolved a version conflict between i686 and x84-64 versions of libldb had lived with waiting for this update...

There were 26 upstream software package updates released on June 23 - full Red Hat list is here. With each package potentially producing multiple RPMs, it was a good sized update! This seems to be more common with Red Hat releases over the last year-ish or so. It's like a mini service pack will come through every couple of months.