[Samba] Moving from samba-3.6.23-25.el6_7.x86_64 to samba-3.6.23-30.el6_7 has broken access to our MAC OS X clients

Ian Collier Ian.Collier at cs.ox.ac.uk
Thu Apr 21 11:46:27 UTC 2016 

On Wed, Apr 20, 2016 at 03:42:47PM -0500, Karen Magee wrote:
>                     Also tied winbindd and that was a disaster of a
> different sort.
> 
> It wouldn't use the local unix groups first, which will cause way too
> many issues.
> 
> All along, however, the PCs that connect (when not trying to use
> winbindd) have consistently
> been able to connect and use the proper groups to access the files on
> the server.

I hear your frustration - we've had the same troubles.  My understanding
of this (which may be wrong) is:

 - The Badlock patches broke something in the Samba server which
   means it's no longer able to contact the Windows AD in order to
   authenticate users.

 - Windows clients who are on the domain are still able to authenticate
   because they have a valid Kerberos ticket from the AD server, but
   GNU/Linux and Mac OS X clients cannot.  [We haven't configured any
   non-Windows clients to talk Kerberos to the Windows AD server so
   it's unknown whether that would provide a workaround.]

 - But Winbind is still able to authenticate users against AD because it
   has "a much more robust and well-used codepath".
   
 - This is not likely to get fixed in the near future, so you must run
   Winbind if you have any GNU/Linux or Mac OS X clients.

 - But when you connect from a Windows client using Winbind, it uses
   the Windows AD groups for access control instead of the Unix groups.

This is basically broken on CentOS/RHEL 6.  If you have a Red Hat
subscription then you might try opening a ticket, but I wouldn't
hold up much hope.  The Samba project won't help you as they don't
support this version any more.

In CentOS/RHEL 7 this is somewhat better, as we've found this morning
after a frantic switchover.  You still have to run Winbind, but if you
put "username map script = /bin/echo" into the config then it will
use the Unix access permissions and (fingers crossed) it *seems* to be
now working as it did before the patches hit.

(Note: I also added "winbind trusted domains only = yes" but whether
that makes any difference I can't say, and I'm going to stop fiddling
with it now it's working.)

Ian Collier.

More information about the samba mailing list