I have a script that runs with EX2 starts.
That script enables (enabled)
allow insecure wide links = yes, andwide links = yes
After upgrading to 5.27.157, Samba now won’t start and I’m now seeing in the logs:
Error loading module '/lib/vfs/widelinks.so':
[2023/10/31 17:01:05.309397, 3] ../../source3/smbd/vfs.c:118(vfs_init_default)
Initialising default vfs hooks
[2023/10/31 17:01:05.309423, 3] ../../source3/smbd/vfs.c:144(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2023/10/31 17:01:05.309450, 3] ../../source3/smbd/vfs.c:144(vfs_init_custom)
Initialising custom vfs hooks from [widelinks]
[2023/10/31 17:01:05.309565, 0] ../../lib/util/modules.c:49(load_module)
Error loading module '/lib/vfs/widelinks.so': /lib/vfs/widelinks.so: cannot open shared object file: No such file or directory
[2023/10/31 17:01:05.309598, 0] ../../source3/smbd/vfs.c:188(vfs_init_custom)
error probing vfs module 'widelinks': NT_STATUS_UNSUCCESSFUL
[2023/10/31 17:01:05.309627, 0] ../../source3/smbd/vfs.c:385(smbd_vfs_init)
smbd_vfs_init: widelinks enabled and vfs_init_custom failed for vfs_widelinks module
Samba 4.13 moved wide links functionality to a separate VFS module.
For this release, the code implementing the insecure “wide links = yes” functionality has been moved out of the core smbd code and into a separate VFS module, vfs_widelinks. Currently this vfs module is implicitly loaded by smbd as the last but one module before vfs_default if “wide links = yes” is enabled on the share (note, the existing restrictions on enabling wide links around the SMB1 “unix extensions” and the “allow insecure wide links” parameters are still in force). The implicit loading was done to allow existing users of “wide links = yes” to keep this functionality without having to make a change to existing working smb.conf files.
Please note that the Samba developers recommend changing any Samba installations that currently use “wide links = yes” to use bind mounts as soon as possible, as “wide links = yes” is an inherently insecure configuration which we would like to remove from Samba. Moving the feature into a VFS module allows this to be done in a cleaner way in future.
A future release to be determined will remove this implicit linkage, causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the “vfs objects =” parameter lists. The release notes will be updated to note this change when it occurs.
OK, so does that mean the next version (OS 5.27.xxx) should also include samba-vfs-modules (2:4.13.13+dfsg-1~deb11u5) seen here?
