[Samba] [EXT] Re: Samba 4 without winbind

Andrew Bartlett abartlet at samba.org
Sun Sep 18 20:43:14 UTC 2022


Yes, we never shipped an update for Samba 4.11 for the Dollar Ticket
attack, and if you have been pinning packages you will have missed a
lot of other critical security updates as well.
For the issue as it impacts on a fileserver, see:
https://bugzilla.samba.org/show_bug.cgi?id=14556https://attachments.samba.org/attachment.cgi?id=16970
Andrew Bartlett
On Sun, 2022-09-18 at 15:25 +0000, Shannon Price wrote:
> I assume this is the Nov 2021 security guidance that you mention?
> I'll include the link for reference in the thread.
> https://www.cisa.gov/uscert/ncas/current-activity/2021/11/09/samba-releases-security-updates
> 
> Could you tell that only from the version that I mentioned (4.11.6)?
> --Shannon
> 
> 
> -----Original Message-----From: Andrew Bartlett <abartlet at samba.org>
> Sent: Sunday, September 18, 2022 4:16 AMTo: Shannon Price <
> pricesw at auburn.edu>; samba at lists.samba.org
> Subject: [EXT] Re: [Samba] Samba 4 without winbind
> CAUTION: Email Originated Outside of Auburn.
> On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:
> > We support our Windows clients via Samba since the 1990s. Our main
> > infrastructure is NIS/NFS to support our servers and Linux
> > clients.We have Samba using ADS for authentication for many years,
> > but our users and groups still come from NIS. Our last Samba server
> > is running on Ubuntu 18 (Samba 4.7.6) and is rock solid using
> > smbd/nmbd.  Our newest Samba server is running on Ubuntu 20.04
> > (Samba4.11.6 - we found severe problems with the current versions:
> > and have pinned Samba at 4.11.6 for now).  We're running it the
> > same way we always have - the machine is ADS joined (net join ads
> > ....). I experimented with winbind for quite a while, but we don't
> > need AD groups or user attributes, so it seems unnecessary and we
> > couldn't get our NIS groups to work when we did that even trying to
> > monkey with nsswitch.conf using nis for groups.
> > The problem now is only that I have full access to everything with
> > unqualfied names (\\SERVER\homes< file://SERVER/homes>  works), but
> > FQDN (\\server.domain.edu\homes<file://server.domain.edu/homes>)
> >  doesn't work and the debug logs show that Samba wants winbind
> > whenever I talk to the server with FQDN.
> > Logs with FQDN:[2022/09/17
> > 08:40:16.941558,  0]../../source3/auth/auth_winbind.c:120(check_win
> > bind_security)  check_winbind_security: winbindd not running - but
> > required as domain member: NT_STATUS_NO_LOGON_SERVERS[2022/09/17
> > 08:40:16.943204,  2]../../source3/auth/auth.c:343(auth_check_ntlm_p
> > assword)  check_ntlm_password:  Authentication for user [USERNAME]
> > -> [USERNAME] FAILED with error
> > NT_STATUS_NO_LOGON_SERVERS,authoritative=1[2022/09/17
> > 08:40:16.943300,  2]../../auth/auth_log.c:635(log_authentication_ev
> > ent_human_readable)
> > Logs without FQDN:  131.204.17.34 (ipv4:131.204.17.34:28915)
> > connect to service USERNAME initially as user USERNAME (uid=12345,
> > gid=123) (pid 454545)[2022/09/17
> > 10:15:38.595009,  0]../../source3/param/loadparm.c:3358(process_use
> > rshare_file)
> 
> What you do is still possible, perhaps with some work (see the Nov
> 2021 security guidance as you have not applied those patches).
> Just run winbindd but don't configure it in the smb.conf.  
> We recogninise that for some the authentication is via AD but the
> authorization is via other methods specified in nsswitch.conf, and we
> now have tests specifically aimed at this.
> Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions


More information about the samba mailing list