Bug 506292

Summary: samba3x 3.3.4 is broken as domain controller
Product: Red Hat Enterprise Linux 5 Reporter: Guenther Deschner <gdeschner>
Component: samba3xAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: urgent    
Version: 5.4CC: azelinka, dpal, fnebiolo, redhat-bugzilla, robert.scheck, sghosh, shaines, ssorce
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-30 09:03:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 524551    

Description Guenther Deschner 2009-06-16 15:52:12 UTC 
Description of problem:

Samba3x needs to update to version 3.3.5 (for the main tarball).

The compelling reason for this update is that versions prior to 3.3.5 had a broken implementation of two fundamental security subsystems:

a) netlogon credential chain
b) samr access checks

ad a) When Samba3x is run as a domain controller on a server, machines cannot join and users cannot correctly authenticate against Samba3x as the netlogon dcerpc server will deny access unconditionally.

ad b) When Samba3x is run as a domain controller on a server, machines cannot access the user and group list which means clients such as windows or linux running winbindd are not able to retrieve the list of user and groups from a Samba DC, completely blocking access control among many other things.

Version-Release number of selected component (if applicable):
samba3x-3.3.4

How reproducible:

join a windows or linux client to a Samba3x domain and try to authenticate and enumerate the user and group list.

Steps to Reproduce:
1. configure a samba3x dc with a few users
2. call "net rpc join" from a linux client
3. verify join using "net rpc testjoin"
4. start winbindd
5. call "wbinfo -u" and "wbinfo -g"
  
Actual results:

step 3.) will return access denied
step 5.) will return a generic error

Expected results:

step 3.) needs to return ok
step 5.) needs to return users and groups

Additional info:
Comment 19 errata-xmlrpc 2010-03-30 09:03:42 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0301.html