Bug 506292 - samba3x 3.3.4 is broken as domain controller
samba3x 3.3.4 is broken as domain controller
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba3x (Show other bugs)
5.4
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Guenther Deschner
BaseOS QE
: Regression, ZStream
Depends On:
Blocks: 524551
  Show dependency treegraph
 
Reported: 2009-06-16 11:52 EDT by Guenther Deschner
Modified: 2010-03-30 05:03 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 05:03:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Guenther Deschner 2009-06-16 11:52:12 EDT
Description of problem:

Samba3x needs to update to version 3.3.5 (for the main tarball).

The compelling reason for this update is that versions prior to 3.3.5 had a broken implementation of two fundamental security subsystems:

a) netlogon credential chain
b) samr access checks

ad a) When Samba3x is run as a domain controller on a server, machines cannot join and users cannot correctly authenticate against Samba3x as the netlogon dcerpc server will deny access unconditionally.

ad b) When Samba3x is run as a domain controller on a server, machines cannot access the user and group list which means clients such as windows or linux running winbindd are not able to retrieve the list of user and groups from a Samba DC, completely blocking access control among many other things.

Version-Release number of selected component (if applicable):
samba3x-3.3.4

How reproducible:

join a windows or linux client to a Samba3x domain and try to authenticate and enumerate the user and group list.

Steps to Reproduce:
1. configure a samba3x dc with a few users
2. call "net rpc join" from a linux client
3. verify join using "net rpc testjoin"
4. start winbindd
5. call "wbinfo -u" and "wbinfo -g"
  
Actual results:

step 3.) will return access denied
step 5.) will return a generic error

Expected results:

step 3.) needs to return ok
step 5.) needs to return users and groups

Additional info:
Comment 19 errata-xmlrpc 2010-03-30 05:03:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0301.html

Note You need to log in before you can comment on or make changes to this bug.