Vaughan, Robert J
2022-Mar-03 18:11 UTC
[Samba] Samba forces domain members to use winbind now
Recent SAMBA patches from Red Hat and Oracle (for Solaris 11) have broken our configuration Have tickets open with both Red Hat and Oracle but so far not having much luck The cause seems to be the switch to force winbind requirement for domain members (CVE-2020-25717 I believe) We've never run winbind before We have a UNIX LDAP (Oracle OUD) that has users with same username as AD and contains the uidNumber and gidNumber we need to use (plus extra groups) and this is accessed via nsswitch as sss (Linux) and ldap (Solaris) So, trying to determine if we can run a winbind config that allows this setup to continue to work With my reading so far I have had some success with idmap backend nss, but sometimes it fails (user doesn't have permission to access share errors) so perhaps something not quite right So my first question is a general 'should I be able to do this'? Rob ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
Rowland Penny
2022-Mar-03 19:02 UTC
[Samba] Samba forces domain members to use winbind now
On Thu, 2022-03-03 at 18:11 +0000, Vaughan, Robert J via samba wrote:> Recent SAMBA patches from Red Hat and Oracle (for Solaris 11) have > broken our configuration > > Have tickets open with both Red Hat and Oracle but so far not having > much luck > > The cause seems to be the switch to force winbind requirement for > domain members (CVE-2020-25717 I believe) > > We've never run winbind before > > We have a UNIX LDAP (Oracle OUD) that has users with same username as > AD and contains the uidNumber and gidNumber we need to use (plus > extra groups) and this is accessed via nsswitch as sss (Linux) and > ldap (Solaris) > > So, trying to determine if we can run a winbind config that allows > this setup to continue to work > > With my reading so far I have had some success with idmap backend > nss, but sometimes it fails (user doesn't have permission to access > share errors) so perhaps something not quite right > > So my first question is a general 'should I be able to do this'? > > RobIf you are running Samba as a Unix domain member, winbind was required from Samba 4.8.0 How are you using ldap ? It might help if you post your smb.conf file. Rowland