[Samba] [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download

Andrew Bartlett abartlet at samba.org
Mon Dec 19 18:33:54 UTC 2016 

On Mon, 2016-12-19 at 10:22 +0000, Rowland Penny via samba wrote:
> On Mon, 19 Dec 2016 13:56:41 +0400
> Mike Lykov via samba <samba at lists.samba.org> wrote:
> 
> > 
> > 19.12.2016 13:18, Karolin Seeger via samba пишет:
> > 
> > > 
> > > 100000 - 33554431 and similar lines) was ignored formerly and
> > > leads
> > > to errors now. The typical error you see is
> > > NT_STATUS_INVALID_SID.
> > > For more details, please see the following bug:
> > > 
> > >   https://bugzilla.samba.org/show_bug.cgi?id=12410
> > 
> > What is right configuration in this case?
> > 
> > on DC I have only an
> >       idmap_ldb:use rfc2307 = yes
> > 
> > string in my smb.conf, and
> > 
> > on member server I have an
> > 
> >      idmap config *:backend = tdb
> >      idmap config *:range = 30001-40000
> >      idmap config SAMGES:backend = ad
> >      idmap config SAMGES:schema_mode = rfc2307
> >      idmap config SAMGES:range = 10000-20000
> > 
> >      winbind nss info = rfc2307
> >      winbind trusted domains only = no
> >      winbind use default domain = yes
> >      winbind enum users  = yes
> >      winbind enum groups = yes
> > 
> > 
> > Are this is correct?
> > I have an old 4.1* version and plan to upgrade to 4.5*.
> > 
> 
> The only possible problems I can see there are the 'winbind enum'
> lines,
> you should only set these for testing purposes.
> 
> The problem was that people have been setting the 'idmap config'
> lines
> meant for a domain member on AD DCs. On versions before 4.5.0, they
> were ignored and did nothing. From 4.5.0, they still do not affect
> the
> IDs, but now cause errors, these errors have now been fixed in 4.5.3

Sadly this is not the case - 4.5.3 is the same as 4.5.2 except for the
security fixes.  This is per our strict policy of only making security
changes in security releases.  Hopefully we can sort something out one
way or the other for 4.5.4.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list