Samba 3 - interesting behaviours after badlock patch.
Andreas Schneider
asn at samba.org
Tue Apr 26 07:37:10 UTC 2016
On Tuesday, 26 April 2016 00:31:55 CEST Bogdan Iamandei wrote:
> Hi guys,
>
> We’ve struck a bunch of problems with applying the patches for samba 3.6.25
> - released as an IDR
by Oracle for Solaris on SPARC.
>
> It looks like samba can no longer authenticate against AD users which exist
> in /etc/passwd, and
that the only work around that is to have winbind
> started (which is not something we’ve had to run for the past 15 years).
> Our "security=ads" has worked fine up until now.
> It also looks like the primary group does not get resolved anymore so for
> example a directive like:
> valid users = @staff
>
> will not allow anyone because @staff is not resolved correctly (it’s used to
> differentiate staff from
students, so there’s about 10,000 members in that
> group).
>
> Also, in this, multiple iterations of a group in /etc/group will no longer
> be iterated through so
that only the first occurrence will be checked
> against and the rest will be silently discarded:
> special_grp::800:user1,user2,user3
> special_grp::800:user4,user5,user6
>
> . . .
>
> valid users = @special_grp ->> this will only allow user1,2 and 3 - where
> user4,5,6 will be ignored.
> (we split groups like this to get around the character limitation per group
> line - don’t ask!).
> I’m happy to provide more details.
>
> Are these problems known? any ideas, or do we have to revert this to the
> previous unpatched version?
At least I have a bug report but haven't had the time to work on it yet.
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list