The branch, master has been updated via d0e3915 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 from 7604118 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit d0e3915ecd116eab2883c7db41c2fd47849db3b6 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 16 20:22:41 2021 +0100 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 ----------------------------------------------------------------------- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 8 +++---- security/CVE-2020-25717.html | 34 ++++++++++++++++++---------- 2 files changed, 26 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 4370442..11bf4f8 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -22,11 +22,11 @@ There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at <a href="https://bugzilla.samba.org/show_bug.cgi?id=14899">bug #14899</a>. </p><p> -Please also notice the additional fix and advanced example -for the 'username map [script]' based fallback from -'DOMAIN\user' to 'user'. See +Please also notice the additional fixes from <a href="https://bugzilla.samba.org/show_bug.cgi?id=14901">bug #14901</a> and -<a href="https://gitlab.com/samba-team/samba/-/merge_requests/2251">Gitlab merge request 2251</a>. +<a href="https://gitlab.com/samba-team/samba/-/merge_requests/2251">Gitlab merge request 2253</a>. +obsolete required 'username map [script]' based fallback from +'DOMAIN\user' to 'user' in most cases. </p> <p> diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html index 49811db..1321426 100644 --- a/security/CVE-2020-25717.html +++ b/security/CVE-2020-25717.html @@ -81,29 +81,39 @@ as it dangerous and not needed when nss_winbind is used (even when However there are setups which are joined to an active directory domain just for authentication, but the authorization is handled without nss_winbind by mapping the domain account to a local user -provided by nss_file, nss_ldap or something similar. NOTE: These -setups won't work anymore without explicitly mapping the users! +provided by nss_file, nss_ldap or something similar. -For these setups administrators need to use the 'username map' or -'username map script' option in order to map domain users explicitly -to local users, e.g. +[Obsoleted 2021-11-16] + NOTE: These setups won't work anymore without explicitly mapping the users! - user = DOMAIN\user + For these setups administrators need to use the 'username map' or + 'username map script' option in order to map domain users explicitly + to local users, e.g. -Please consult 'man 5 smb.conf' for further details on 'username -map' or 'username map script'. Also note that in the above example '\' -refers to the default value of the 'winbind separator' option. + user = DOMAIN\user + + Please consult 'man 5 smb.conf' for further details on 'username + map' or 'username map script'. Also note that in the above example '\' + refers to the default value of the 'winbind separator' option. [Added 2021-11-11] There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899 - Please also notice the additional fix and advanced example - for the 'username map [script]' based fallback from +[Updated 2021-11-16] + + Please also notice the additional fix that obsoletes + the above 'username map [script]' based fallback from 'DOMAIN\user' to 'user'. See https://bugzilla.samba.org/show_bug.cgi?id=14901 and - https://gitlab.com/samba-team/samba/-/merge_requests/2251 + https://gitlab.com/samba-team/samba/-/merge_requests/2253 + + It's possible have setups make use of 'idmap_nss' in order + to provide a mapping from the domain account to a local user, + often even without 'nss_winbindd'. Such setups should work again + as before with the patches from bug 14901. + But note the 'min domain uid' setting may still be required. ============ Beyond Samba -- Samba Website Repository