Updated samba packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Samba is an open-source implementation of the Server Message Block (SMB) and Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.
The samba packages have been upgraded to upstream version 3.6, which provides a number of bug fixes and enhancements over the previous version. In particular, support for the SMB2 protocol has been added. SMB2 support can be enabled with the following parameter in the [global] section of the
max protocol = SMB2
Additionally, Samba now has support for AES Kerberos encryption. AES support has been available in Microsoft Windows operating systems since Windows Vista and Windows Server 2008. It is reported to be the new default Kerberos encryption type since Windows 7. Samba now adds AES Kerberos keys to the keytab it controls. This means that other Kerberos based services that use the Samba keytab and run on the same machine can benefit from AES encryption. In order to use AES session keys (and not only use AES encrypted ticket granting tickets), the Samba machine account in Active Directory's LDAP server needs to be manually modified. For more information, refer to the Microsoft Open Specifications Support Team Blog.
Also note that several Trivial Database (TDB) files have been updated and printing support has been rewritten to use the actual registry implementation. This means that all TDB files are upgraded as soon as you start the new Samba server daemon (
smbd) version. You cannot downgrade to an older Samba version unless you have backups of the TDB files. (BZ#649479)
The updated samba packages also change the way ID mapping is configured. Users are advised to modify their existing Samba configuration files. For more information, refer to the Release Notes for Samba 3.6.0, the
smb.confman page and the individual IDMAP backend man pages.
If you upgrade from Red Hat Enterprise Linux 6.3 to Red Hat Enterprise Linux 6.4 and you have Samba in use, you should make sure that you uninstall the package named samba4 to avoid conflicts during the upgrade.
- Previously, the pam_winbind utility returned an incorrect PAM error code if the Winbind module was not reachable. Consequently, users were not able to log in even if another PAM Module authenticated the user successfully. With this update, the error
PAM_USER_UNKNOWNis always returned in case Winbind fails to authenticate a user. As a result, users successfully authenticated by another PAM module can log in as expected.
- Samba 3.6 failed to migrate existing printers from the Trivial Database (TDB) to the registry due to a Network Data Representation (NDR) alignment problem. Consequently, printers from 3.5 could not be migrated and the Samba server daemon (
smbd) stopped with an error. The NDR parser has been fixed to correctly parse printing entries from Samba 3.5. As a result, printers are correctly migrated from 3.5 TDB to the 3.6 registry.
- Due to a regression, the previous release changed the behavior of resolving domain local groups and the Winbind daemon (
winbindd) could not find them. The original behavior for resolving the domain local groups has been restored. As a result, the
IDcommand resolves domain local groups in its own domain correctly again.
- The net utility improperly displayed the realm which it had joined in all lowercase letters. Consequently, a user might misunderstand the domain join and might use the lowercase format of the realm name. This update corrects the case and improves the wording of the message printed about a domain join. As a result, the user is correctly informed as to which
DNSdomain the system has joined.
- If a Domain Controller (DC) was rebuilding the System Volume (Sysvol) shared directory and turned off netlogon, users were not able to log in until it was finished, even if another working DC was available. Consequently, users could not log in and got strange errors if netlogon was available and then was turned off. With this update, Samba retries twice to open the netlogon connection and if it still does not work the DC is added to the negative connection cache and Samba will failover to the next DC. As a result, the user no longer sees any error messages in this scenario and can log in using another DC as expected.
- When joining an Active Directory domain and using Samba's support for using Kerberos keytabs, AES Kerberos keys were not added into the generated keytab. Consequently, Samba did not support the new AES encryption type for Kerberos. This update adds support for AES Kerberos keys to Samba and AES Kerberos Keys are now created in the keytab during the Domain join.
Users of samba are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.