On Tue, Dec 08, 2015 at 03:24:00PM +0100, Herwin Weststrate wrote:
On 08-12-15 15:02, Matthew Newton wrote:
Yes, by adding the patches in that bug report. Should apply easily to all 4.x versions.
Well, that would defy my (unwritten) purpose of keeping the system as much debian-stock as possible. Instead of recompiling a 4.1.something with those changes, I could as well use a more recent version of Samba directly (which would probably be less work).
We run Debian here and I'm in exactly the same position. My choices have been to compile Samba locally and put in /opt or to try and use 4.3.x from Debian experimental. Former works fine but is just a bit messy (local init scripts really). Latter is horrible in terms of package dependencies as it wants to upgrade the whole system. Samba 4.3.x from experimental won't compile cleanly on stable (build dependencies - official Samba releases compile fine). I hadn't thought of patching Debian's Samba version and building packages of that - would actually be the cleanest way. It's not as if Samba itself is being used really anyway. All we want are winbind and libwbclient. If there's a critical Samba vulnerability then the immediate fix is to update to latest Debian Samba and drop back to ntlm_auth, then to patch and rebuild locally at leisure. FWIW, so far since upgrading our RADIUS server hardware in October we haven't seen any issues with ntlm_auth... whether this is good or bad, I'm not sure! Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>