[Samba] samba-3.5.14 (and less) corrupting AD->UID mappings

[Nico Kadel-Garcia]

On Thu, Aug 2, 2012 at 5:07 PM, Jason Haar <Jason_Haar at trimble.com> wrote:
> Hi there
>
> We've had three incidents this year where users connected to Samba
> shares (on CentOS systems) and appeared as the incorrect Windows
> account. e.g "dom\user1" would connect, but any files they created would
> be owned by Unix user "dom\user2"

And you're using Samba 3.5.14.... why? The built in Samba is
samba-3.5.10, as published by the upstream vendor, Red Hat. And the
current 3.x release is 3.6.6. By playing with an intermediate and
vendor unsupported version, you expose yourself to all the bugs fixed
in more recent releases, without the vendor support to address any
bugs known to exist in the old version.

If you need 3.6.6, which is the current 3.6 release, check out my SRPM
tools at https://github.com/nkadel/samba-3.6.6-srpm for something that
builds very cleanly and compatibly with RHEL 6 and CentOS 6.

> This is of course pretty nasty. We normally delete all the cache and
> winbind TDB files and restart and that fixes it - but that isn't really
> a fix. There is a hint this may be associated with sites with RODCs -
> but last night we just had it happen on a site that has both "true" AD
> 2008-R2 DCs and RODCs - so maybe winbind was talking to the RODC there -
> maybe not - dunno
>
> Is this a known issue, and if not, what can I do to track down the
> cause, as it "sort of" diminishes the usefulness of Samba if you can't
> trust the file ownership anymore
>
> Thanks
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba