Bug 1558560 - Rebase samba in RHEL-7.6 to Samba 4.8.3
Summary: Rebase samba in RHEL-7.6 to Samba 4.8.3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Andrej Dzilský
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1558492 1558494 1558495 1558497
Blocks: 1550132 1610324
TreeView+ depends on / blocked
 
Reported: 2018-03-20 13:44 UTC by Andreas Schneider
Modified: 2018-10-30 08:01 UTC (History)
6 users (show)

Fixed In Version: samba-4.8.3-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_samba_ rebased to version 4.8.3 The _samba_ packages have been upgraded to upstream version 4.8.3, which provides a number of bug fixes and enhancements over the previous version: * The *smbd* service no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the `security` parameter set to `ads` or `domain` now require that the *winbindd* service is running. * The dependency on global lists of trusted domains within the *winbindd* process has been reduced. For installations that do not require the global list, set the `winbind scan trusted domains` parameter in the `/etc/samba/smb.conf` file to `no`. For more information, see the parameter's description in the `smb.conf(5)` man page. * The trust properties displayed in the output of the "wbinfo -m --verbose" command have been changed to correctly reflect the status of the system where the command is executed. * Authentication from users of a one-way trust now works correctly when using the *idmap_rid* and *idmap_autorid* ID mapping back ends. Samba automatically updates its tdb database files when the *smbd*, *nmbd*, or *winbind* daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files. For more information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.8.0.html.
Clone Of:
Environment:
Last Closed: 2018-10-30 07:59:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3056 None None None 2018-10-30 08:01:00 UTC

Description Andreas Schneider 2018-03-20 13:44:22 UTC
Besides including all the latest upstream bugfixes and interoperability improvements the new Samba version has support for one-way trusts in domain member setups.

Comment 4 Andreas Schneider 2018-06-13 12:25:47 UTC
Domain member setups require winbindd
-------------------------------------

Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.

Comment 5 Andreas Schneider 2018-06-13 12:27:13 UTC
Winbind changes
---------------

The dependency to global list of trusted domains within
the winbindd processes has been reduced a lot.

The construction of that global list is not reliable and often
incomplete in complex trust setups. In most situations the list is not needed
any more for winbindd to operate correctly. E.g. for plain file serving via SMB
using a simple idmap setup with autorid, tdb or ad. However some more complex
setups require the list, e.g. if you specify idmap backends for specific
domains. Some pam_winbind setups may also require the global list.

If you have a setup that doesn't require the global list, you should set
"winbind scan trusted domains = no".

Comment 6 Andreas Schneider 2018-06-13 12:28:07 UTC
Changed trusted domains listing with wbinfo -m --verbose
--------------------------------------------------------

The trust properties printed by wbinfo -m --verbose have been changed to
correctly reflect the view of the system where wbinfo is executed.

The trust type field in particular can show additional values that correctly
reflect the type of the trust: "Local" for the local SAM and BUILTIN,
"Workstation" for a workstation trust to the primary domain, "RWDC" for the SAM
on a AD DC, "RODC" for the SAM on a read-only DC, "PDC" for the SAM on a
NT4-style DC, "Forest" for a AD forest trust and "External" for quarantined,
external or NT4-style trusts.

Indirect trusts are shown as "Routed" including the routing domain.

Example, on a AD DC (SDOM1):

Domain Name DNS Domain          Trust Type  Transitive  In   Out
BUILTIN                         Local
SDOM1       sdom1.site          RWDC
WDOM3       wdom3.site          Forest      Yes         No   Yes
WDOM2       wdom2.site          Forest      Yes         Yes  Yes
SUBDOM31    subdom31.wdom3.site Routed (via WDOM3)
SUBDOM21    subdom21.wdom2.site Routed (via WDOM2)

Same setup, on a member of WDOM2:

Domain Name DNS Domain          Trust Type  Transitive  In   Out
BUILTIN                         Local
TITAN                           Local
WDOM2       wdom2.site          Workstation Yes         No   Yes
WDOM1       wdom1.site          Routed (via WDOM2)
WDOM3       wdom3.site          Routed (via WDOM2)
SUBDOM21    subdom21.wdom2.site Routed (via WDOM2)
SDOM1       sdom1.site          Routed (via WDOM2)
SUBDOM11    subdom11.wdom1.site Routed (via WDOM2)

The list of trusts may be incomplete and additional domains may appear as
"Routed" if a user of an unknown domain is successfully authenticated.

Comment 7 Marc Muehlfeld 2018-06-13 12:48:37 UTC
For a long time winbind was not able to authenticate users from trusted domain which only had a one way trust. Samba has been developed for NT4-style domain controllers first. The way it worked was fine for NT4 but AD works completely different so we needed to remove the assumptions winbind had about AD. This took a long time because a lot of code needed to be refactored.

Finally authentication from users of one way trusts is working the the following ID mapping modules: idmap_rid and idmap_autorid.

Trusts can be evaluated using the following command:
'wbinfo --trusted-domains --verbose'

Winbind changes
---------------

The dependency to global list of trusted domains within
the winbindd processes has been reduced a lot.

The construction of that global list is not reliable and often
incomplete in complex trust setups. In most situations the list is not needed
any more for winbindd to operate correctly. E.g. for plain file serving via SMB
using a simple idmap setup with autorid, tdb or ad. However some more complex
setups require the list, e.g. if you specify idmap backends for specific
domains. Some pam_winbind setups may also require the global list.

If you have a setup that doesn't require the global list, you should set
"winbind scan trusted domains = no".

Comment 8 Andreas Schneider 2018-07-05 15:59:56 UTC
SUPER IMPORTANT!!!


  Domain member setups require winbindd
  -------------------------------------

  Setups with "security = domain" or "security = ads" require a
  running 'winbindd' now. The fallback that smbd directly contacts
  domain controllers is gone.

Comment 12 errata-xmlrpc 2018-10-30 07:59:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3056


Note You need to log in before you can comment on or make changes to this bug.