Bug 1558560
Summary: | Rebase samba in RHEL-7.6 to Samba 4.8.3 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Andreas Schneider <asn> |
Component: | samba | Assignee: | Andreas Schneider <asn> |
Status: | CLOSED ERRATA | QA Contact: | Andrej Dzilský <adzilsky> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | unspecified | ||
Version: | 7.6 | CC: | asn, gdeschner, jarrpa, mcorr, pasik, rhack |
Target Milestone: | rc | Keywords: | Rebase |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | samba-4.8.3-1.el7 | Doc Type: | Rebase: Bug Fixes and Enhancements |
Doc Text: |
_samba_ rebased to version 4.8.3
The _samba_ packages have been upgraded to upstream version 4.8.3, which provides a number of bug fixes and enhancements over the previous version:
* The *smbd* service no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the `security` parameter set to `ads` or `domain` now require that the *winbindd* service is running.
* The dependency on global lists of trusted domains within the *winbindd* process has been reduced. For installations that do not require the global list, set the `winbind scan trusted domains` parameter in the `/etc/samba/smb.conf` file to `no`. For more information, see the parameter's description in the `smb.conf(5)` man page.
* The trust properties displayed in the output of the "wbinfo -m --verbose" command have been changed to correctly reflect the status of the system where the command is executed.
* Authentication from users of a one-way trust now works correctly when using the *idmap_rid* and *idmap_autorid* ID mapping back ends.
Samba automatically updates its tdb database files when the *smbd*, *nmbd*, or *winbind* daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
For more information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.8.0.html.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 07:59:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1558492, 1558494, 1558495, 1558497 | ||
Bug Blocks: | 1550132, 1610324 |
Description
Andreas Schneider
2018-03-20 13:44:22 UTC
Domain member setups require winbindd ------------------------------------- Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone. Winbind changes --------------- The dependency to global list of trusted domains within the winbindd processes has been reduced a lot. The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list. If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no". Changed trusted domains listing with wbinfo -m --verbose -------------------------------------------------------- The trust properties printed by wbinfo -m --verbose have been changed to correctly reflect the view of the system where wbinfo is executed. The trust type field in particular can show additional values that correctly reflect the type of the trust: "Local" for the local SAM and BUILTIN, "Workstation" for a workstation trust to the primary domain, "RWDC" for the SAM on a AD DC, "RODC" for the SAM on a read-only DC, "PDC" for the SAM on a NT4-style DC, "Forest" for a AD forest trust and "External" for quarantined, external or NT4-style trusts. Indirect trusts are shown as "Routed" including the routing domain. Example, on a AD DC (SDOM1): Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local SDOM1 sdom1.site RWDC WDOM3 wdom3.site Forest Yes No Yes WDOM2 wdom2.site Forest Yes Yes Yes SUBDOM31 subdom31.wdom3.site Routed (via WDOM3) SUBDOM21 subdom21.wdom2.site Routed (via WDOM2) Same setup, on a member of WDOM2: Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local TITAN Local WDOM2 wdom2.site Workstation Yes No Yes WDOM1 wdom1.site Routed (via WDOM2) WDOM3 wdom3.site Routed (via WDOM2) SUBDOM21 subdom21.wdom2.site Routed (via WDOM2) SDOM1 sdom1.site Routed (via WDOM2) SUBDOM11 subdom11.wdom1.site Routed (via WDOM2) The list of trusts may be incomplete and additional domains may appear as "Routed" if a user of an unknown domain is successfully authenticated. For a long time winbind was not able to authenticate users from trusted domain which only had a one way trust. Samba has been developed for NT4-style domain controllers first. The way it worked was fine for NT4 but AD works completely different so we needed to remove the assumptions winbind had about AD. This took a long time because a lot of code needed to be refactored. Finally authentication from users of one way trusts is working the the following ID mapping modules: idmap_rid and idmap_autorid. Trusts can be evaluated using the following command: 'wbinfo --trusted-domains --verbose' Winbind changes --------------- The dependency to global list of trusted domains within the winbindd processes has been reduced a lot. The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list. If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no". SUPER IMPORTANT!!! Domain member setups require winbindd ------------------------------------- Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3056 |