[SCM] Samba Website Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Nov 16 19:23:14 UTC 2021


The branch, master has been updated
       via  d0e3915 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901
      from  7604118 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d0e3915ecd116eab2883c7db41c2fd47849db3b6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 16 20:22:41 2021 +0100

    updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901

-----------------------------------------------------------------------

Summary of changes:
 posted_news/20211108-113640.4.15.2.body.html |  8 +++----
 security/CVE-2020-25717.html                 | 34 ++++++++++++++++++----------
 2 files changed, 26 insertions(+), 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html
index 4370442..11bf4f8 100644
--- a/posted_news/20211108-113640.4.15.2.body.html
+++ b/posted_news/20211108-113640.4.15.2.body.html
@@ -22,11 +22,11 @@ There's sadly a regression that "allow trusted domains = no"
 prevents winbindd from starting, fixes are available at
 <a href="https://bugzilla.samba.org/show_bug.cgi?id=14899">bug #14899</a>.
 </p><p>
-Please also notice the additional fix and advanced example
-for the 'username map [script]' based fallback from
-'DOMAIN\user' to 'user'. See
+Please also notice the additional fixes from
 <a href="https://bugzilla.samba.org/show_bug.cgi?id=14901">bug #14901</a> and
-<a href="https://gitlab.com/samba-team/samba/-/merge_requests/2251">Gitlab merge request 2251</a>.
+<a href="https://gitlab.com/samba-team/samba/-/merge_requests/2251">Gitlab merge request 2253</a>.
+obsolete required 'username map [script]' based fallback from
+'DOMAIN\user' to 'user' in most cases.
 </p>
 
 <p>
diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html
index 49811db..1321426 100644
--- a/security/CVE-2020-25717.html
+++ b/security/CVE-2020-25717.html
@@ -81,29 +81,39 @@ as it dangerous and not needed when nss_winbind is used (even when
 However there are setups which are joined to an active directory
 domain just for authentication, but the authorization is handled
 without nss_winbind by mapping the domain account to a local user
-provided by nss_file, nss_ldap or something similar. NOTE: These
-setups won't work anymore without explicitly mapping the users!
+provided by nss_file, nss_ldap or something similar.
 
-For these setups administrators need to use the 'username map' or
-'username map script' option in order to map domain users explicitly
-to local users, e.g.
+[Obsoleted 2021-11-16]
+    NOTE: These setups won't work anymore without explicitly mapping the users!
 
-  user = DOMAIN\user
+    For these setups administrators need to use the 'username map' or
+    'username map script' option in order to map domain users explicitly
+    to local users, e.g.
 
-Please consult 'man 5 smb.conf' for further details on 'username
-map' or 'username map script'. Also note that in the above example '\'
-refers to the default value of the 'winbind separator' option.
+      user = DOMAIN\user
+
+    Please consult 'man 5 smb.conf' for further details on 'username
+    map' or 'username map script'. Also note that in the above example '\'
+    refers to the default value of the 'winbind separator' option.
 
 [Added 2021-11-11]
   There's sadly a regression that "allow trusted domains = no"
   prevents winbindd from starting, fixes are available at
   https://bugzilla.samba.org/show_bug.cgi?id=14899
 
-  Please also notice the additional fix and advanced example
-  for the 'username map [script]' based fallback from
+[Updated 2021-11-16]
+
+  Please also notice the additional fix that obsoletes
+  the above 'username map [script]' based fallback from
   'DOMAIN\user' to 'user'. See
   https://bugzilla.samba.org/show_bug.cgi?id=14901 and
-  https://gitlab.com/samba-team/samba/-/merge_requests/2251
+  https://gitlab.com/samba-team/samba/-/merge_requests/2253
+
+  It's possible have setups make use of 'idmap_nss' in order
+  to provide a mapping from the domain account to a local user,
+  often even without 'nss_winbindd'. Such setups should work again
+  as before with the patches from bug 14901.
+  But note the 'min domain uid' setting may still be required.
 
 ============
 Beyond Samba


-- 
Samba Website Repository



More information about the samba-cvs mailing list