Red Hat Bugzilla – Bug 506292
samba3x 3.3.4 is broken as domain controller
Last modified: 2010-03-30 05:03:42 EDT
Description of problem:
Samba3x needs to update to version 3.3.5 (for the main tarball).
The compelling reason for this update is that versions prior to 3.3.5 had a broken implementation of two fundamental security subsystems:
a) netlogon credential chain
b) samr access checks
ad a) When Samba3x is run as a domain controller on a server, machines cannot join and users cannot correctly authenticate against Samba3x as the netlogon dcerpc server will deny access unconditionally.
ad b) When Samba3x is run as a domain controller on a server, machines cannot access the user and group list which means clients such as windows or linux running winbindd are not able to retrieve the list of user and groups from a Samba DC, completely blocking access control among many other things.
Version-Release number of selected component (if applicable):
join a windows or linux client to a Samba3x domain and try to authenticate and enumerate the user and group list.
Steps to Reproduce:
1. configure a samba3x dc with a few users
2. call "net rpc join" from a linux client
3. verify join using "net rpc testjoin"
4. start winbindd
5. call "wbinfo -u" and "wbinfo -g"
step 3.) will return access denied
step 5.) will return a generic error
step 3.) needs to return ok
step 5.) needs to return users and groups
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.