[Samba] [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download

Rowland Penny rpenny at samba.org
Mon Dec 19 18:48:56 UTC 2016 

On Tue, 20 Dec 2016 07:33:54 +1300
Andrew Bartlett <abartlet at samba.org> wrote:

> On Mon, 2016-12-19 at 10:22 +0000, Rowland Penny via samba wrote:
> > On Mon, 19 Dec 2016 13:56:41 +0400
> > Mike Lykov via samba <samba at lists.samba.org> wrote:
> > 
> > > 
> > > 19.12.2016 13:18, Karolin Seeger via samba пишет:
> > > 
> > > > 
> > > > 100000 - 33554431 and similar lines) was ignored formerly and
> > > > leads
> > > > to errors now. The typical error you see is
> > > > NT_STATUS_INVALID_SID.
> > > > For more details, please see the following bug:
> > > > 
> > > >   https://bugzilla.samba.org/show_bug.cgi?id=12410
> > > 
> > > What is right configuration in this case?
> > > 
> > > on DC I have only an
> > >       idmap_ldb:use rfc2307 = yes
> > > 
> > > string in my smb.conf, and
> > > 
> > > on member server I have an
> > > 
> > >      idmap config *:backend = tdb
> > >      idmap config *:range = 30001-40000
> > >      idmap config SAMGES:backend = ad
> > >      idmap config SAMGES:schema_mode = rfc2307
> > >      idmap config SAMGES:range = 10000-20000
> > > 
> > >      winbind nss info = rfc2307
> > >      winbind trusted domains only = no
> > >      winbind use default domain = yes
> > >      winbind enum users  = yes
> > >      winbind enum groups = yes
> > > 
> > > 
> > > Are this is correct?
> > > I have an old 4.1* version and plan to upgrade to 4.5*.
> > > 
> > 
> > The only possible problems I can see there are the 'winbind enum'
> > lines,
> > you should only set these for testing purposes.
> > 
> > The problem was that people have been setting the 'idmap config'
> > lines
> > meant for a domain member on AD DCs. On versions before 4.5.0, they
> > were ignored and did nothing. From 4.5.0, they still do not affect
> > the
> > IDs, but now cause errors, these errors have now been fixed in 4.5.3
> 
> Sadly this is not the case - 4.5.3 is the same as 4.5.2 except for the
> security fixes.  This is per our strict policy of only making security
> changes in security releases.  Hopefully we can sort something out one
> way or the other for 4.5.4.
> 
> Sorry,
> 
> Andrew Bartlett
> 

Thanks for clarifying that, I mistaking thought that the bug had been
fixed. I take it the 'fix', at the moment, is to not add the 'idmap
config' lines to a smb.conf file on a DC, or to remove them if you
have added them.

Rowland

More information about the samba mailing list