[Samba] Moving from samba-3.6.23-25.el6_7.x86_64 to samba-3.6.23-30.el6_7 has broken access to our MAC OS X clients
rpenny at samba.org
Thu Apr 21 12:25:14 UTC 2016
On 21/04/16 12:46, Ian Collier wrote:
> I hear your frustration - we've had the same troubles. My understanding
> of this (which may be wrong) is:
> - The Badlock patches broke something in the Samba server which
> means it's no longer able to contact the Windows AD in order to
> authenticate users.
My understanding is that the Badlock patches fixed a multitude of
security problems, also from work that I and Louis have carried out, it
now looks possible that the problem lies in the way that the update
packages have been created. I do not have any problems, but I build
Samba with just './configure --enable-debug --without-systemd'. Louis
initially had problems, but, after he built his owns debs, his computers
now seem to be working correctly.
> - Windows clients who are on the domain are still able to authenticate
> because they have a valid Kerberos ticket from the AD server, but
> GNU/Linux and Mac OS X clients cannot. [We haven't configured any
> non-Windows clients to talk Kerberos to the Windows AD server so
> it's unknown whether that would provide a workaround.]
> - But Winbind is still able to authenticate users against AD because it
> has "a much more robust and well-used codepath".
> - This is not likely to get fixed in the near future, so you must run
> Winbind if you have any GNU/Linux or Mac OS X clients.
> - But when you connect from a Windows client using Winbind, it uses
> the Windows AD groups for access control instead of the Unix groups.
That is how it is supposed to work in an AD domain:
Unix groups in /etc/passwd are local groups and as such, will be unknown
To have a Unix group that is known to AD, it first needs to created as
an AD group and then given a gidNumber attribute, or use the 'rid'
backend on a domain member.
> This is basically broken on CentOS/RHEL 6. If you have a Red Hat
> subscription then you might try opening a ticket, but I wouldn't
> hold up much hope. The Samba project won't help you as they don't
> support this version any more.
> In CentOS/RHEL 7 this is somewhat better, as we've found this morning
> after a frantic switchover. You still have to run Winbind, but if you
> put "username map script = /bin/echo" into the config then it will
> use the Unix access permissions and (fingers crossed) it *seems* to be
> now working as it did before the patches hit.
> (Note: I also added "winbind trusted domains only = yes" but whether
> that makes any difference I can't say, and I'm going to stop fiddling
> with it now it's working.)
> Ian Collier.
More information about the samba