Posted by: ITKE
Administration, interoperability and integration, Samba, Security
We just put a Samba tip up the other day regarding bugs and bug fixes, so it’s kind of ironic that Jerry Carter, release manager for the Samba team, sent out a few bug updates today to the mailing list.
The first, complete with patch availability:
The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user’s home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the “winbind nss info”smb.conf option to either “sfu” or “rfc2307″.
Both the Windows “Identity Management for Unix” and “Services for Unix” MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user’s Windows primary group.
When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.
A patch addressing this defect has been posted to
Additionally, Samba 3.0.26 has been issued as a security release to correct the defect.
Samba and Active Directory administrators may avoid this security issue by two methods:
(a) Ensure that all user’s stored in AD are properly assigned a Unix primary group, or
(b) Discontinue use of the sfu or rfc2307 “winbind nss info” plugin until a patched version of the idmap_ad.so library can be installed.
Note that the problem is only evident on servers using the sfu or rfc2307 “winbind nss info” plugin and not those only making use of Winbind’s idmap_ad IDMap backend interface.
There is also version 3.0.26a available for download today, complete with bug fix (Memory leaks in Winbind’s IDMap manager).
The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from:
The release notes are available online at:
Binary packages will be made available on a volunteer basis at