Bug 506292 - samba3x 3.3.4 is broken as domain controller
samba3x 3.3.4 is broken as domain controller
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba3x (Show other bugs)
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Guenther Deschner
: Regression, ZStream
Depends On:
Blocks: 524551
  Show dependency treegraph
Reported: 2009-06-16 11:52 EDT by Guenther Deschner
Modified: 2010-03-30 05:03 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-30 05:03:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0301 normal SHIPPED_LIVE samba3x bug fix update 2010-03-29 10:31:04 EDT

  None (edit)
Description Guenther Deschner 2009-06-16 11:52:12 EDT
Description of problem:

Samba3x needs to update to version 3.3.5 (for the main tarball).

The compelling reason for this update is that versions prior to 3.3.5 had a broken implementation of two fundamental security subsystems:

a) netlogon credential chain
b) samr access checks

ad a) When Samba3x is run as a domain controller on a server, machines cannot join and users cannot correctly authenticate against Samba3x as the netlogon dcerpc server will deny access unconditionally.

ad b) When Samba3x is run as a domain controller on a server, machines cannot access the user and group list which means clients such as windows or linux running winbindd are not able to retrieve the list of user and groups from a Samba DC, completely blocking access control among many other things.

Version-Release number of selected component (if applicable):

How reproducible:

join a windows or linux client to a Samba3x domain and try to authenticate and enumerate the user and group list.

Steps to Reproduce:
1. configure a samba3x dc with a few users
2. call "net rpc join" from a linux client
3. verify join using "net rpc testjoin"
4. start winbindd
5. call "wbinfo -u" and "wbinfo -g"
Actual results:

step 3.) will return access denied
step 5.) will return a generic error

Expected results:

step 3.) needs to return ok
step 5.) needs to return users and groups

Additional info:
Comment 19 errata-xmlrpc 2010-03-30 05:03:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.