[SCM] Samba Website Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Nov 16 19:23:14 UTC 2021
The branch, master has been updated
via d0e3915 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901
from 7604118 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d0e3915ecd116eab2883c7db41c2fd47849db3b6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 16 20:22:41 2021 +0100
updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901
-----------------------------------------------------------------------
Summary of changes:
posted_news/20211108-113640.4.15.2.body.html | 8 +++----
security/CVE-2020-25717.html | 34 ++++++++++++++++++----------
2 files changed, 26 insertions(+), 16 deletions(-)
Changeset truncated at 500 lines:
diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html
index 4370442..11bf4f8 100644
--- a/posted_news/20211108-113640.4.15.2.body.html
+++ b/posted_news/20211108-113640.4.15.2.body.html
@@ -22,11 +22,11 @@ There's sadly a regression that "allow trusted domains = no"
prevents winbindd from starting, fixes are available at
<a href="https://bugzilla.samba.org/show_bug.cgi?id=14899">bug #14899</a>.
</p><p>
-Please also notice the additional fix and advanced example
-for the 'username map [script]' based fallback from
-'DOMAIN\user' to 'user'. See
+Please also notice the additional fixes from
<a href="https://bugzilla.samba.org/show_bug.cgi?id=14901">bug #14901</a> and
-<a href="https://gitlab.com/samba-team/samba/-/merge_requests/2251">Gitlab merge request 2251</a>.
+<a href="https://gitlab.com/samba-team/samba/-/merge_requests/2251">Gitlab merge request 2253</a>.
+obsolete required 'username map [script]' based fallback from
+'DOMAIN\user' to 'user' in most cases.
</p>
<p>
diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html
index 49811db..1321426 100644
--- a/security/CVE-2020-25717.html
+++ b/security/CVE-2020-25717.html
@@ -81,29 +81,39 @@ as it dangerous and not needed when nss_winbind is used (even when
However there are setups which are joined to an active directory
domain just for authentication, but the authorization is handled
without nss_winbind by mapping the domain account to a local user
-provided by nss_file, nss_ldap or something similar. NOTE: These
-setups won't work anymore without explicitly mapping the users!
+provided by nss_file, nss_ldap or something similar.
-For these setups administrators need to use the 'username map' or
-'username map script' option in order to map domain users explicitly
-to local users, e.g.
+[Obsoleted 2021-11-16]
+ NOTE: These setups won't work anymore without explicitly mapping the users!
- user = DOMAIN\user
+ For these setups administrators need to use the 'username map' or
+ 'username map script' option in order to map domain users explicitly
+ to local users, e.g.
-Please consult 'man 5 smb.conf' for further details on 'username
-map' or 'username map script'. Also note that in the above example '\'
-refers to the default value of the 'winbind separator' option.
+ user = DOMAIN\user
+
+ Please consult 'man 5 smb.conf' for further details on 'username
+ map' or 'username map script'. Also note that in the above example '\'
+ refers to the default value of the 'winbind separator' option.
[Added 2021-11-11]
There's sadly a regression that "allow trusted domains = no"
prevents winbindd from starting, fixes are available at
https://bugzilla.samba.org/show_bug.cgi?id=14899
- Please also notice the additional fix and advanced example
- for the 'username map [script]' based fallback from
+[Updated 2021-11-16]
+
+ Please also notice the additional fix that obsoletes
+ the above 'username map [script]' based fallback from
'DOMAIN\user' to 'user'. See
https://bugzilla.samba.org/show_bug.cgi?id=14901 and
- https://gitlab.com/samba-team/samba/-/merge_requests/2251
+ https://gitlab.com/samba-team/samba/-/merge_requests/2253
+
+ It's possible have setups make use of 'idmap_nss' in order
+ to provide a mapping from the domain account to a local user,
+ often even without 'nss_winbindd'. Such setups should work again
+ as before with the patches from bug 14901.
+ But note the 'min domain uid' setting may still be required.
============
Beyond Samba
--
Samba Website Repository
More information about the samba-cvs
mailing list