Samba 3 - interesting behaviours after badlock patch.
Bogdan Iamandei
b.iamandei at its.uq.edu.au
Tue Apr 26 00:31:55 UTC 2016
Hi guys,
We’ve struck a bunch of problems with applying the patches for samba 3.6.25 - released as an IDR
by Oracle for Solaris on SPARC.
It looks like samba can no longer authenticate against AD users which exist in /etc/passwd, and
that the only work around that is to have winbind started (which is not something we’ve had to
run for the past 15 years). Our "security=ads" has worked fine up until now.
It also looks like the primary group does not get resolved anymore so for example a directive like:
valid users = @staff
will not allow anyone because @staff is not resolved correctly (it’s used to differentiate staff from
students, so there’s about 10,000 members in that group).
Also, in this, multiple iterations of a group in /etc/group will no longer be iterated through so
that only the first occurrence will be checked against and the rest will be silently discarded:
special_grp::800:user1,user2,user3
special_grp::800:user4,user5,user6
. . .
valid users = @special_grp ->> this will only allow user1,2 and 3 - where user4,5,6 will be ignored.
(we split groups like this to get around the character limitation per group line - don’t ask!).
I’m happy to provide more details.
Are these problems known? any ideas, or do we have to revert this to the previous unpatched version?
Cheers,
Bogdan.
More information about the samba-technical
mailing list