Jason Haar
2012-Aug-02 21:07 UTC
[Samba] samba-3.5.14 (and less) corrupting AD->UID mappings
Hi there We've had three incidents this year where users connected to Samba shares (on CentOS systems) and appeared as the incorrect Windows account. e.g "dom\user1" would connect, but any files they created would be owned by Unix user "dom\user2" This is of course pretty nasty. We normally delete all the cache and winbind TDB files and restart and that fixes it - but that isn't really a fix. There is a hint this may be associated with sites with RODCs - but last night we just had it happen on a site that has both "true" AD 2008-R2 DCs and RODCs - so maybe winbind was talking to the RODC there - maybe not - dunno Is this a known issue, and if not, what can I do to track down the cause, as it "sort of" diminishes the usefulness of Samba if you can't trust the file ownership anymore Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Nico Kadel-Garcia
2012-Aug-03 01:09 UTC
[Samba] samba-3.5.14 (and less) corrupting AD->UID mappings
On Thu, Aug 2, 2012 at 5:07 PM, Jason Haar <Jason_Haar at trimble.com> wrote:> Hi there > > We've had three incidents this year where users connected to Samba > shares (on CentOS systems) and appeared as the incorrect Windows > account. e.g "dom\user1" would connect, but any files they created would > be owned by Unix user "dom\user2"And you're using Samba 3.5.14.... why? The built in Samba is samba-3.5.10, as published by the upstream vendor, Red Hat. And the current 3.x release is 3.6.6. By playing with an intermediate and vendor unsupported version, you expose yourself to all the bugs fixed in more recent releases, without the vendor support to address any bugs known to exist in the old version. If you need 3.6.6, which is the current 3.6 release, check out my SRPM tools at https://github.com/nkadel/samba-3.6.6-srpm for something that builds very cleanly and compatibly with RHEL 6 and CentOS 6.> This is of course pretty nasty. We normally delete all the cache and > winbind TDB files and restart and that fixes it - but that isn't really > a fix. There is a hint this may be associated with sites with RODCs - > but last night we just had it happen on a site that has both "true" AD > 2008-R2 DCs and RODCs - so maybe winbind was talking to the RODC there - > maybe not - dunno > > Is this a known issue, and if not, what can I do to track down the > cause, as it "sort of" diminishes the usefulness of Samba if you can't > trust the file ownership anymore > > Thanks > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba