Gisteren is in de vorm van versie 3.0.23c een update van Samba uitgebracht. Dit programma draait op Unix-, BSD- en Linux-gebaseerde servers en is in staat om file- en/of printer-services aan Windows-clients te bieden via het zogenaamde Common Internet File System-protocol, oftewel CIFS. Uitgebreide documentatie, inclusief praktische zogenaamde HowTo's kunnen op deze pagina worden gevonden. De volledige release notes zijn op deze pagina ondergebracht, dit zijn de meest belangrijke veranderingen:
Common bugs fixed in 3.0.23c include:RID Algorithms and Passdb
- Authentication failures in pam_winbind when the AD domain policy is set to not expire passwords.
- Authorization failures when using smb.conf options such as "valid users" with the smbpasswd passdb backend.
Starting with the 3.0.23c release, the officially supported passdb backends (smbpasswd, tdbsam, and ldapsam) now operate identically with regards to the historical RID algorithm for unmapped users and groups (i.e. accounts not in the passdb or group mapping table). The resulting behavior is that all unmapped users are resolved to a SID in the S-1-22-1 domain and all unmapped groups resolve to a SID in the S-1-22-2 domain. Previously, when using the smbpasswd passdb, such users and groups would resolve to an algorithmic SID in the machine's own domain (S-1-5-XX-XX-XX). However, the smbpasswd backend still utilizes the RID algorithm when creating new user accounts or allocating a RID for a new group mapping entry.
With the changes in the 3.0.23c release, it is now possible to resolve a uid/gid, name, or SID in any direction and always obtain a symmetric mapping. This is important so that values for smb.conf parameters such as "valid users" resolve to the same SIDs as those included in the local user's initial token.
Most installations will notice no change. However, because an unmapped account's SID will now change even when using smbpasswd it is possible that any security descriptors on files previously copied from a Samba host to a Windows NTFS partition may now fail to give access. The workaround is to either manually map all affect groups (or add impacted users to the server's passdb) or to manually reset the file's ACL.[break]
:strip_exif()/i/1214996389.gif?f=thumbmedium)
:strip_icc():strip_exif()/u/67544/crop67141b2d71854_cropped.jpg?f=community){kind=small}
:strip_exif()/u/10073/compu.gif?f=community){kind=small}