Paket yöneticisi hataları hakkında

İyi günler. Bugün açtığım 3. hata ama yükleme yaptığımda aşağıdaki hatayı veriyor. Tüm uygulama ve güncellemeleri nasıl hatasız kurabilirim acaba tşk ederim.

samba (2:4.2.10+dfsg-0+deb8u1) jessie-security; urgency=high

This Samba security release moves Samba from Samba 4.1 to 4.2 in
Debian jessie.  This addresses both Denial of Service and Man in
the Middle vulnerabilities.

This change was required as the scale of the patches did not
permit a backport to Samba 4.1.

Both the 4.2 upgrade and the new security patch implement new
smb.conf options and a number of stricter behaviours to prevent
Man in the Middle attacks on our network services, as a client and
as a server.

Between these changes, compatibility with a large number of older
software versions has been lost in the default configuration.

See the release notes in WHATNEW.txt for more information.

Here are some additional hints how to work around the new stricter default behaviors:

* As an AD DC server, only Windows 2000 and Samba 3.6 and above as
  a domain member are supported out of the box. Other smb file
  servers as domain members are also fine out of the box.

* As an AD DC server, with default setting of "ldap server require
  strong auth", LDAP clients connecting over ldaps:// or START_TLS
  will be allowed to perform simple LDAP bind only.

  The preferred configuration for LDAP clients is to use SASL
  GSSAPI directly over ldap:// without using ldaps:// or

  To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or
  NTLMSSP) sign/seal protection must be used by the client and
  server should be configured with "ldap server require strong
  auth = allow_sasl_over_tls".

  Consult OpenLDAP documentation how to set sign/seal protection
  in ldap.conf.

  For SSSD client configured with "id_provider = ad" or
  "id_provider = ldap" with "auth_provider = krb5", see
  sssd-ldap(5) manual for details on TLS session handling.

* As a File Server, compatibility with the Linux Kernel cifs
  client depends on which configuration options are selected, please
  use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".

* As a file or printer client and as a domain member, out of the
  box compatibility with Samba less than 4.0 and other SMB/CIFS
  servers, depends on support for SMB signing or SMB2 on the
  server, which is often disabled or absent. You may need to
  adjust the "client ipc signing" to "no" in these cases.

* Due to bug Samba bug #11830, when Samba is configured as a
  domain member in Active Directory domain and this domain has
  trust to other Active Directory domains, you will need to set

    winbind sealed pipes = false
require strong key = false

  Doing so will however remove an aspect of our protection against
  MitM attacks between winbindd and the domain controllers.

* The out of the box compatibility with Samba 3.x domain controllers
  requires NETLOGON features only available in Samba 3.2 and above.

However, all of these can be worked around by setting smb.conf
options in Samba, see WHATSNEW.txt the 4.2.0 release notes at and the Samba
wiki for details, workarounds and suggested security-improving
changes to these and other software packages.

Suggested further improvements after patching:

It is recommended that administrators set these additional options,
if compatible with their network environment:

    server signing = mandatory
    ntlm auth = no

Without "server signing = mandatory", Man in the Middle attacks
are still possible against our file server and
classic/NT4-like/Samba3 Domain controller. (It is now enforced on
Samba's AD DC.) Note that this has heavy impact on the file server
performance, so you need to decide between performance and
security. These Man in the Middle attacks for smb file servers are
well known for decades.

Without "ntlm auth = no", there may still be clients not using
NTLMv2, and these observed passwords may be brute-forced easily using
cloud-computing resources or rainbow tables.

– Andrew Bartlett Tue, 12 Apr 2016 16:18:57 +1200