CVE-2017-7494 Mitigation is activated even if Samba version is newer then the affected one

[langchr86]

In Ubuntu 20.04 Samba Version 4.11.6 is installed. Even though the mitigation option nt pipe support = no is added to the global part of smb.conf. This results in windows clients not able to connect to the shares. The reason is that ubuntu has its own naming convention for the version number which is not correctly detected by the mechnism already in place. The following happen on ubuntu.

$ smbd --version
Version 4.11.6-Ubuntu

Therefore the mechnism to detect the samba version fails to remove all text except the version number. I would propose to replace the shell command in main.yml

smbd --version | sed 's/Version //'

by

smbd --version | sed 's/Version //' | sed 's/-Ubuntu//'
# or even
smbd --version | sed 's/Version //' | sed 's/-.*//'

[colin-nolan]

Fix pending in https://github.com/bertvv/ansible-role-samba/pull/61.

[exterrestris]

Just come across this issue - took me ages to realise this was the cause since shares are accessible directly from Windows, but trying to browse the server returns a permission error. This can fortunately be worked around with setting samba_mitigate_cve_2017_7494 to false as described in the readme, but it would be better not to apply the fix in the first place