[Samba] Moving from samba-3.6.23-25.el6_7.x86_64 to samba-3.6.23-30.el6_7 has broken access to our MAC OS X clients
Ian Collier
Ian.Collier at cs.ox.ac.uk
Thu Apr 21 11:46:27 UTC 2016
On Wed, Apr 20, 2016 at 03:42:47PM -0500, Karen Magee wrote:
> Also tied winbindd and that was a disaster of a
> different sort.
>
> It wouldn't use the local unix groups first, which will cause way too
> many issues.
>
> All along, however, the PCs that connect (when not trying to use
> winbindd) have consistently
> been able to connect and use the proper groups to access the files on
> the server.
I hear your frustration - we've had the same troubles. My understanding
of this (which may be wrong) is:
- The Badlock patches broke something in the Samba server which
means it's no longer able to contact the Windows AD in order to
authenticate users.
- Windows clients who are on the domain are still able to authenticate
because they have a valid Kerberos ticket from the AD server, but
GNU/Linux and Mac OS X clients cannot. [We haven't configured any
non-Windows clients to talk Kerberos to the Windows AD server so
it's unknown whether that would provide a workaround.]
- But Winbind is still able to authenticate users against AD because it
has "a much more robust and well-used codepath".
- This is not likely to get fixed in the near future, so you must run
Winbind if you have any GNU/Linux or Mac OS X clients.
- But when you connect from a Windows client using Winbind, it uses
the Windows AD groups for access control instead of the Unix groups.
This is basically broken on CentOS/RHEL 6. If you have a Red Hat
subscription then you might try opening a ticket, but I wouldn't
hold up much hope. The Samba project won't help you as they don't
support this version any more.
In CentOS/RHEL 7 this is somewhat better, as we've found this morning
after a frantic switchover. You still have to run Winbind, but if you
put "username map script = /bin/echo" into the config then it will
use the Unix access permissions and (fingers crossed) it *seems* to be
now working as it did before the patches hit.
(Note: I also added "winbind trusted domains only = yes" but whether
that makes any difference I can't say, and I'm going to stop fiddling
with it now it's working.)
Ian Collier.
More information about the samba
mailing list