LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

December 2018

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS December 2018

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Samba security update for SL7 broke AD authentication
From:	"Gilbert E. Detillieux" <[log in to unmask]>
Reply To:	Gilbert E. Detillieux
Date:	Wed, 5 Dec 2018 11:07:57 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

Among the raft of SL7 security errata and update packages released on

November 26th was one for samba, that included fixes for 3 CVE's.

However, this seemingly innocuous security update also included a rebase

to samba 4.8.3, from 4.7.1. And in the release notes for 4.8, was this

little nugget:

Setups with "security = domain" or "security = ads" require a

running 'winbindd' now. The fallback that smbd directly contacts

domain controllers is gone.

So, for the second time in about 2 years, a samba security update broke

my samba setup. (Again, just as I was getting ready for a

vacation/leave. When will I learn?!)

While I'm not surprised that a minor-version update would drop a

long-supported feature (because Samba team), I am a bit more surprised

that Red Hat opted for the rebase rather than back-porting the patches

to address the various CVE's, as they usually do. (My experience with

RHEL has been that they tend to doggedly stick to outdated versions of

software, and back-port the patches, even when the newer versions would

offer better security with minimal risk of breaking backwards

compatibility. Are you listening, openssl package maintainers?)

So, in an attempt to get samba going again, I installed samba-winbind,

enabled the winbindd service, and... no go. I then read somewhere that

winbindd needs nmbd running. (Not sure why. Nothing else we've run in

the last decade or more has needed WINS support.) So I ran nmbd. Still

no joy.

Figuring there was something I was missing, configuration-wise, with

winbindd, I looked up a few tutorials online, all of which focused on

configuring NSS and PAM (with dire warnings about how getting this wrong

will break your system authentication, so backup everything first).

But, I'm assuming that samba would contact winbindd more directly (i.e.

via libwbclient), and not actually require the NSS and PAM setup. Or

maybe I'm wrong here...

So, for the time being, I've downgraded my samba packages. But before I

go through the trouble of setting up a whole test system to play around

with getting winbindd configured correctly to work with the new samba, I

thought I'd turn to the folks on this list, and see if I've missed

something simple and/or obvious that others have already implemented.

(My apologies if this is not an appropriate use of the list.)

Help me Obi-Wan-SL-Users, you're my only hope!

Gilbert

Gilbert E. Detillieux E-mail: <[log in to unmask]>

Dept. of Computer Science Web: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cs.umanitoba.ca_-7Egedetil_&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=xhs9nuNsLgnTEZvCRT-IzPVf-sredMjW1zSllLXMaLU&s=N8oQpIYpItjsoXTLUtmPJdDSAH8LfSCL9Umbm6NycPI&e=

University of Manitoba Phone: (204)474-8161

Winnipeg MB CANADA R3T 2N2 Fax: (204)474-7609

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV