Among the raft of SL7 security errata and update packages released on
November 26th was one for samba, that included fixes for 3 CVE's.
However, this seemingly innocuous security update also included a rebase
to samba 4.8.3, from 4.7.1. And in the release notes for 4.8, was this
little nugget:
Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.
So, for the second time in about 2 years, a samba security update broke
my samba setup. (Again, just as I was getting ready for a
vacation/leave. When will I learn?!)
While I'm not surprised that a minor-version update would drop a
long-supported feature (because Samba team), I am a bit more surprised
that Red Hat opted for the rebase rather than back-porting the patches
to address the various CVE's, as they usually do. (My experience with
RHEL has been that they tend to doggedly stick to outdated versions of
software, and back-port the patches, even when the newer versions would
offer better security with minimal risk of breaking backwards
compatibility. Are you listening, openssl package maintainers?)
So, in an attempt to get samba going again, I installed samba-winbind,
enabled the winbindd service, and... no go. I then read somewhere that
winbindd needs nmbd running. (Not sure why. Nothing else we've run in
the last decade or more has needed WINS support.) So I ran nmbd. Still
no joy.
Figuring there was something I was missing, configuration-wise, with
winbindd, I looked up a few tutorials online, all of which focused on
configuring NSS and PAM (with dire warnings about how getting this wrong
will break your system authentication, so backup everything first).
But, I'm assuming that samba would contact winbindd more directly (i.e.
via libwbclient), and not actually require the NSS and PAM setup. Or
maybe I'm wrong here...
So, for the time being, I've downgraded my samba packages. But before I
go through the trouble of setting up a whole test system to play around
with getting winbindd configured correctly to work with the new samba, I
thought I'd turn to the folks on this list, and see if I've missed
something simple and/or obvious that others have already implemented.
(My apologies if this is not an appropriate use of the list.)
Help me Obi-Wan-SL-Users, you're my only hope!
Gilbert
--
Gilbert E. Detillieux E-mail: <[log in to unmask]>
Dept. of Computer Science Web: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cs.umanitoba.ca_-7Egedetil_&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=xhs9nuNsLgnTEZvCRT-IzPVf-sredMjW1zSllLXMaLU&s=N8oQpIYpItjsoXTLUtmPJdDSAH8LfSCL9Umbm6NycPI&e=
University of Manitoba Phone: (204)474-8161
Winnipeg MB CANADA R3T 2N2 Fax: (204)474-7609
|