Community ISO maintenance and build issues - 2

SolydXK is too quiet for you? SolydXK Enthusiast Editions, based on Debian Testing is for you! Here you can find news about Debian Testing and Unstable too, and also tests on SolydXK programs.
The support for SolydXK EE is provided by the community.
User avatar
Arjen Balfoort
Site Admin
Posts: 9282
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Community ISO maintenance and build issues - 2

Postby Arjen Balfoort » 29 Jul 2019 14:59

The new ee packages were uploaded to the solydxk-11 repository.

The ee packages from the solydxk-10 repository were removed.

Let me know how that goes.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2171
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Community ISO maintenance and build issues - 2

Postby grizzler » 29 Jul 2019 18:05

@xendistar,
OK.

@Arjen,
About the system-adjustments-11 packages: you forgot to change 10 to 11 in /usr/share/solydxk/info.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9282
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Community ISO maintenance and build issues - 2

Postby Arjen Balfoort » 29 Jul 2019 20:52

info file updated and new packages uploaded.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2171
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Community ISO maintenance and build issues - 2

Postby grizzler » 16 Aug 2019 18:50

The virtualbox packages are still missing from Debian's testing repo, but they don't seem to be in the solydxk-11/-ee repo either. Could you create a similar import setup as for solydxk-10, please? Thanks.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9282
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Community ISO maintenance and build issues - 2

Postby Arjen Balfoort » 16 Aug 2019 19:20

Imports for solydxk-11 are now the same as for solydxk-10.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2171
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Community ISO maintenance and build issues - 2

Postby grizzler » 02 Sep 2019 18:00

Could you remove kde-style-breeze-qt4 from solydk-system-adjustments-11's dependencies please? It's no longer in testing or sid and I think it's responsible for apt-get trying to pull the adjustments package off the SolydK EE ISO.

Edit
You may want to update the adjustments package's Description field, while you're at it...
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
grizzler
Posts: 2171
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Community ISO maintenance and build issues - 2

Postby grizzler » 13 Oct 2019 20:11

After a recent samba upgrade, the Total Commander LAN-plugin on my mobile phone could no longer connect to the smbd server on my main machine. I wasted several hours looking for the answer (in the wrong place) and eventually 'fixed' things the Microsoft way: by removing the plugin's settings and starting over.

While trying to find a fix, I noticed the /etc/samba/smb.conf file has some SolydXK specific settings at the start of the [global] section:

follow symlinks = yes
wide links = yes
unix extensions = no
client lanman auth = yes
client ntlmv2 auth = no

I have some reservations about these.
The first one doesn'ŧ make sense as that's already the default.
Setting 'wide links' is fine, but instead of switching off 'unix extensions' (which blocks 'wide links' when 'on' [ = default] ), I would set 'allow insecure wide links' to yes (which undoes the blocking).

The last two caused problems. I couldn't connect to the server from the SolydX EE on my laptop either, because it tried to use the outdated protocols which these settings enable and the server wouldn't have it (apparently, that's what the upgrade did: it set the default 'server min protocol' to SMB2_02).

I checked the forum, but I couldn'ŧ find the reason for these SolydXK specific settings. Unless someone else can and explains why we shouldn'ŧ, I would suggest we remove the last two for the EEs (as the samba upgrade was for bullseye, I assume buster doesn't need that).
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9282
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Community ISO maintenance and build issues - 2

Postby Arjen Balfoort » 14 Oct 2019 06:21

I think these settings are really old and inherited from our Mint time.

What I understand from your post is this:
Remove "follow symlinks = yes": it is already default.
Remove "wide links = yes": it should be "on" and is already default.
Remove "unix extensions = no": blocks wide links.
Remove "client lanman auth = yes": outdated.
Remove "cleint ntlmv2 auth = no": outdated.

Additionally use "allow insecure wide links = yes" if you choose to set "unix extensions = no".

The above only applies to bullseye.

Did I understand correctly?

Currently these are written in the postinst script of solydxk-system. Which means that I have to move the code to the appropriate adjustments packages.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2171
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Community ISO maintenance and build issues - 2

Postby grizzler » 14 Oct 2019 10:42

Arjen Balfoort wrote:
14 Oct 2019 06:21
I think these settings are really old and inherited from our Mint time.
Wouldn't surprise me...
Did I understand correctly?
Not quite. We want "wide links" (which is off/no by default), but "unix extensions" wouldn't hurt either. However the latter (on/yes by default) blocks the former, unless "allow insecure wide links" is set. So we end up with:

wide links = yes
allow insecure wide links = yes

and nothing more.
Currently these are written in the postinst script of solydxk-system. Which means that I have to move the code to the appropriate adjustments packages.
Maybe wait a while with that and see what happens if this is used on buster as well. It's not strictly necessary there, but I think it wouldn'ŧ hurt either.

Ilu? Kurotsugi? Agreed?

Edit
Actually, thinking about this a bit more, I'm wondering whether we actually want wide links. It is a bit of a security hole...
What do people think?
Frank

SolydX EE 64 - tracking Debian Testing

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: Community ISO maintenance and build issues - 2

Postby kurotsugi » 15 Oct 2019 00:55

anything related to security stuff would be good :3

User avatar
ilu
Posts: 2493
Joined: 09 Oct 2013 12:45

Re: Community ISO maintenance and build issues - 2

Postby ilu » 15 Oct 2019 20:42

I don't use samba. But reading up on it here https://www.samba.org/samba/docs/curren ... EWIDELINKS clearly shows that insecure wide links might be what the name says - insecure. That should not be our default. Especially not if its an old setting that wasn't revisited for over 5 years. Is there a reason we would want wide links as default?

As for the unix extensions I'm not sure about their practical usage since not every client supports them. I could find some connection to CIFS which I think should be supported. The reason for the conf we inherited might be that there are reports that setting allow insecure wide links to yes doesn't work the way it should. So to achieve wide links, the unix extensions where disabled instead.

As for client lanman auth = yes:
This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash.
That speaks for itself. Its needed for Windows 95/98 clients but those are a thing of the past. So only NTLMv2 auth is the way to go.

Wherever security is involved we should stick as closely to defaults as possible, since the upstream team knows best (and checks regularly). If we change anything we should have strong reasons to do so. Many of our users won't even use samba.

AFAIK defaults are: follow symlinks = yes, wide links = no, unix extensions = yes, client NTLMv2 auth = yes . Since this is a security change, I would prefer a change back to defaults, that affects installed systems too. We should document the change so users can see where to adapt the conf if they really need wide links or Windows 95/98 cmpatibility.

And same for buster, no need to differentiate.

User avatar
grizzler
Posts: 2171
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Community ISO maintenance and build issues - 2

Postby grizzler » 16 Oct 2019 06:26

Agreed. The defaults should do.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9282
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Community ISO maintenance and build issues - 2

Postby Arjen Balfoort » 16 Oct 2019 09:36

I will put this sed in the postinst script of solydxk-system:

Code: Select all

sed -i -e '/^ \{2,\}## SOLYDXK/,/^ \{2,\}client ntlmv2 auth = no/d' /etc/samba/smb.conf
Please improve if necessary.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2171
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Community ISO maintenance and build issues - 2

Postby grizzler » 16 Oct 2019 11:58

That should work.
Frank

SolydX EE 64 - tracking Debian Testing


Return to “Testing Zone”

Who is online

Users browsing this forum: No registered users and 3 guests