Download Samba 3.0.23c

Yesterday an update of Samba was released in the form of version 3.0.23c. This program runs on Unix, BSD, and Linux-based servers and is capable of providing file and/or printer services to Windows clients through the so-called Common Internet File System protocol, or CIFS. Extensive documentation, including practical so-called HowTo’s can be downloaded this page are being found. The full release notes are up this page accommodated, these are the most important changes:

Common bugs fixed in 3.0.23c include:

• Authentication failures in pam_winbind when the AD domain policy is set to not expire passwords.
• Authorization failures when using smb.conf options such as “valid users” with the smbpasswd passdb backend.

RID Algorithms and Passdb

Starting with the 3.0.23c release, the officially supported passdb backends (smbpasswd, tdbsam, and ldapsam) now operate identically with regards to the historical RID algorithm for unmapped users and groups (ie accounts not in the passdb or group mapping table). The resulting behavior is that all unmapped users are resolved to a SID in the S-1-22-1 domain and all unmapped groups resolve to a SID in the S-1-22-2 domain. Previously, when using the smbpasswd passdb, such users and groups would resolve to an algorithmic SID in the machine’s own domain (S-1-5-XX-XX-XX). However, the smbpasswd backend still utilizes the RID algorithm when creating new user accounts or allocating a RID for a new group mapping entry.

With the changes in the 3.0.23c release, it is now possible to resolve a uid/gid, name, or SID in any direction and always obtain a symmetric mapping. This is important so that values ​​for smb.conf parameters such as “valid users” resolve to the same SIDs as those included in the local user’s initial token.

Most installations will notice no change. However, because an unmapped account’s SID will now change even when using smbpasswd it is possible that any security descriptors on files previously copied from a Samba host to a Windows NTFS partition may now fail to give access. The workaround is to either manually map all affect groups (or add impacted users to the server’s passdb) or to manually reset the file’s ACL.[break]