samba - Dec 2016 - [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download

On Mon, 19 Dec 2016 13:56:41 +0400
Mike Lykov via samba <samba at lists.samba.org> wrote:
> 19.12.2016 13:18, Karolin Seeger via samba пишет:
> 
> > 100000 - 33554431 and similar lines) was ignored formerly and leads
> > to errors now. The typical error you see is NT_STATUS_INVALID_SID.
> > For more details, please see the following bug:
> >
> >   https://bugzilla.samba.org/show_bug.cgi?id=12410
> 
> What is right configuration in this case?
> 
> on DC I have only an
>       idmap_ldb:use rfc2307 = yes
> 
> string in my smb.conf, and
> 
> on member server I have an
> 
>      idmap config *:backend = tdb
>      idmap config *:range = 30001-40000
>      idmap config SAMGES:backend = ad
>      idmap config SAMGES:schema_mode = rfc2307
>      idmap config SAMGES:range = 10000-20000
> 
>      winbind nss info = rfc2307
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> 
> 
> Are this is correct?
> I have an old 4.1* version and plan to upgrade to 4.5*.
> 
The only possible problems I can see there are the 'winbind enum' lines,
you should only set these for testing purposes.

The problem was that people have been setting the 'idmap config' lines
meant for a domain member on AD DCs. On versions before 4.5.0, they
were ignored and did nothing. From 4.5.0, they still do not affect the
IDs, but now cause errors, these errors have now been fixed in 4.5.3

Rowland

On Mon, 2016-12-19 at 10:22 +0000, Rowland Penny via samba
wrote:
> On Mon, 19 Dec 2016 13:56:41 +0400
> Mike Lykov via samba <samba at lists.samba.org> wrote:
> 
> > 
> > 19.12.2016 13:18, Karolin Seeger via samba пишет:
> > 
> > > 
> > > 100000 - 33554431 and similar lines) was ignored formerly and
> > > leads
> > > to errors now. The typical error you see is
> > > NT_STATUS_INVALID_SID.
> > > For more details, please see the following bug:
> > > 
> > >   https://bugzilla.samba.org/show_bug.cgi?id=12410
> > 
> > What is right configuration in this case?
> > 
> > on DC I have only an
> >       idmap_ldb:use rfc2307 = yes
> > 
> > string in my smb.conf, and
> > 
> > on member server I have an
> > 
> >      idmap config *:backend = tdb
> >      idmap config *:range = 30001-40000
> >      idmap config SAMGES:backend = ad
> >      idmap config SAMGES:schema_mode = rfc2307
> >      idmap config SAMGES:range = 10000-20000
> > 
> >      winbind nss info = rfc2307
> >      winbind trusted domains only = no
> >      winbind use default domain = yes
> >      winbind enum users  = yes
> >      winbind enum groups = yes
> > 
> > 
> > Are this is correct?
> > I have an old 4.1* version and plan to upgrade to 4.5*.
> > 
> 
> The only possible problems I can see there are the 'winbind enum'
> lines,
> you should only set these for testing purposes.
> 
> The problem was that people have been setting the 'idmap config'
> lines
> meant for a domain member on AD DCs. On versions before 4.5.0, they
> were ignored and did nothing. From 4.5.0, they still do not affect
> the
> IDs, but now cause errors, these errors have now been fixed in 4.5.3
Sadly this is not the case - 4.5.3 is the same as 4.5.2 except for the
security fixes.  This is per our strict policy of only making security
changes in security releases.  Hopefully we can sort something out one
way or the other for 4.5.4.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Tue, 20 Dec 2016 07:33:54 +1300
Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2016-12-19 at 10:22 +0000, Rowland Penny via samba wrote:
> > On Mon, 19 Dec 2016 13:56:41 +0400
> > Mike Lykov via samba <samba at lists.samba.org> wrote:
> > 
> > > 
> > > 19.12.2016 13:18, Karolin Seeger via samba пишет:
> > > 
> > > > 
> > > > 100000 - 33554431 and similar lines) was ignored formerly
and
> > > > leads
> > > > to errors now. The typical error you see is
> > > > NT_STATUS_INVALID_SID.
> > > > For more details, please see the following bug:
> > > > 
> > > >   https://bugzilla.samba.org/show_bug.cgi?id=12410
> > > 
> > > What is right configuration in this case?
> > > 
> > > on DC I have only an
> > >       idmap_ldb:use rfc2307 = yes
> > > 
> > > string in my smb.conf, and
> > > 
> > > on member server I have an
> > > 
> > >      idmap config *:backend = tdb
> > >      idmap config *:range = 30001-40000
> > >      idmap config SAMGES:backend = ad
> > >      idmap config SAMGES:schema_mode = rfc2307
> > >      idmap config SAMGES:range = 10000-20000
> > > 
> > >      winbind nss info = rfc2307
> > >      winbind trusted domains only = no
> > >      winbind use default domain = yes
> > >      winbind enum users  = yes
> > >      winbind enum groups = yes
> > > 
> > > 
> > > Are this is correct?
> > > I have an old 4.1* version and plan to upgrade to 4.5*.
> > > 
> > 
> > The only possible problems I can see there are the 'winbind
enum'
> > lines,
> > you should only set these for testing purposes.
> > 
> > The problem was that people have been setting the 'idmap
config'
> > lines
> > meant for a domain member on AD DCs. On versions before 4.5.0, they
> > were ignored and did nothing. From 4.5.0, they still do not affect
> > the
> > IDs, but now cause errors, these errors have now been fixed in 4.5.3
> 
> Sadly this is not the case - 4.5.3 is the same as 4.5.2 except for the
> security fixes.  This is per our strict policy of only making security
> changes in security releases.  Hopefully we can sort something out one
> way or the other for 4.5.4.
> 
> Sorry,
> 
> Andrew Bartlett
> 
Thanks for clarifying that, I mistaking thought that the bug had been
fixed. I take it the 'fix', at the moment, is to not add the 'idmap
config' lines to a smb.conf file on a DC, or to remove them if you
have added them.

Rowland