samba_4.1.17+dfsg-2+deb8u1 root share results in NT_STATUS_ACCESS_DENIED on subdirectories on Debian Jessie

Recently I saw a Debian Jessie server start returning “NT_STATUS_ACCESS_DENIED” whenever a user tried to access a subdirectory from a root share. A quick dig through the Debian bug tracker revealed this bug report so we’ll see it fixed in an update at some point.

However there’s no telling when the update will actually come; so the question is what to do in the meantime? One option is to replicate the mount point elsewhere and share that, e.g after doing the below we could just set “path=/mnt/root”

# mkdir /mnt/root
# mount -o rbind / /mnt/root  

The other option is to apply the patch supplied in the upstream bug report to the existing Debian package; the only issue here is we have to tread carefully so as not to break the packaging system. The Debian packaging system is very much an unknown to me, but this is how I go about applying such a patch (Disclaimer: Follow this advice at your own peril)

First we need to make sure we have the tools for building packages:

$ sudo apt-get install build-essential devscripts

Then get the source and the upstream patch:

$ cd /tmp
$ sudo apt-get update
$ wget -O samba.patch https://attachments.samba.org/attachment.cgi?id=11742
$ apt-get source samba
$ cd samba-4.1.17+dfsg

To prepare a patch proper we’d use quilt

$ sudo apt-get install quilt
$ export QUILT_PATCHES=debian/patches
$ export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index"
$ quilt push -a
$ quilt new bug_812429_share_of_root_no_longer_works.patch 
$ quilt add source3/smbd/vfs.c
$ patch -p1 < ../samba.patch
$ quilt refresh
$ quilt pop -a 

Or alternatively as we only really care about making the binary package we can take a shortcut and just apply the patch on top of the source we’ve downloaded:

$ patch -p1 < ../samba.patch
$ dpkg-source --commit

Now we want to make sure our package doesn’t get overwritten until an actual update appears, we can bump the version number to enforce this:

$ debchange --increment
    * Add bug_812429_share_of_root_no_longer_works.patch

Now build our package(s):

$ dpkg-buildpackage -us -uc

We only really need the changes in “samba-libs_4.1.17+dfsg-2+deb8u1.1_amd64.deb”, but because we’ve bumped the version number we need to apply all the rebuilt packages that depend on samba-libs:

$ su -
# dpkg -i samba-libs_4.1.17+dfsg-2+deb8u1.1_amd64.deb
# dpkg -i python-samba_4.1.17+dfsg-2+deb8u1.1_amd64.deb
# dpkg -i libsmbclient_4.1.17+dfsg-2+deb8u1.1_amd64.deb
# dpkg -i samba-common_4.1.17+dfsg-2+deb8u1.1_all.deb
# dpkg -i samba-common-bin_4.1.17+dfsg-2+deb8u1.1_amd64.deb
# dpkg -i samba_4.1.17+dfsg-2+deb8u1.1_amd64.deb
# dpkg -i samba-dsdb-modules_4.1.17+dfsg-2+deb8u1.1_amd64.deb
# dpkg -i samba-vfs-modules_4.1.17+dfsg-2+deb8u1.1_amd64.deb
# dpkg -i smbclient_4.1.17+dfsg-2+deb8u1.1_amd64.deb  

Hopefully this will suffice, and once the Debian apt repository is updated, and only then will “apt-get upgrade” overwrite our patched package.