[Samba] Moving from samba-3.6.23-25.el6_7.x86_64 to samba-3.6.23-30.el6_7 has broken access to our MAC OS X clients

Rowland penny rpenny at samba.org
Thu Apr 21 12:25:14 UTC 2016

On 21/04/16 12:46, Ian Collier wrote:
> I hear your frustration - we've had the same troubles.  My understanding
> of this (which may be wrong) is:
>   - The Badlock patches broke something in the Samba server which
>     means it's no longer able to contact the Windows AD in order to
>     authenticate users.

My understanding is that the Badlock patches fixed a multitude of 
security problems, also from work that I and Louis have carried out, it 
now looks possible that the problem lies in the way that the update 
packages have been created. I do not have any problems, but I build 
Samba with just './configure --enable-debug --without-systemd'. Louis 
initially had problems, but, after he built his owns debs, his computers 
now seem to be working correctly.

>   - Windows clients who are on the domain are still able to authenticate
>     because they have a valid Kerberos ticket from the AD server, but
>     GNU/Linux and Mac OS X clients cannot.  [We haven't configured any
>     non-Windows clients to talk Kerberos to the Windows AD server so
>     it's unknown whether that would provide a workaround.]
>   - But Winbind is still able to authenticate users against AD because it
>     has "a much more robust and well-used codepath".
>   - This is not likely to get fixed in the near future, so you must run
>     Winbind if you have any GNU/Linux or Mac OS X clients.
>   - But when you connect from a Windows client using Winbind, it uses
>     the Windows AD groups for access control instead of the Unix groups.

That is how it is supposed to work in an AD domain:

Unix groups in /etc/passwd are local groups and as such, will be unknown 
to AD.
To have a Unix group that is known to AD, it first needs to created as 
an AD group and then given a gidNumber attribute, or use the 'rid' 
backend on a domain member.


> This is basically broken on CentOS/RHEL 6.  If you have a Red Hat
> subscription then you might try opening a ticket, but I wouldn't
> hold up much hope.  The Samba project won't help you as they don't
> support this version any more.
> In CentOS/RHEL 7 this is somewhat better, as we've found this morning
> after a frantic switchover.  You still have to run Winbind, but if you
> put "username map script = /bin/echo" into the config then it will
> use the Unix access permissions and (fingers crossed) it *seems* to be
> now working as it did before the patches hit.
> (Note: I also added "winbind trusted domains only = yes" but whether
> that makes any difference I can't say, and I'm going to stop fiddling
> with it now it's working.)
> Ian Collier.

More information about the samba mailing list