Possibilities for using winbind libs with Samba < 4.2.1

Matthew Newton mcn4 at leicester.ac.uk
Tue Dec 8 15:31:06 CET 2015


On Tue, Dec 08, 2015 at 03:24:00PM +0100, Herwin Weststrate wrote:
> On 08-12-15 15:02, Matthew Newton wrote:
> > Yes, by adding the patches in that bug report. Should apply easily
> > to all 4.x versions.
> 
> Well, that would defy my (unwritten) purpose of keeping the system as
> much debian-stock as possible. Instead of recompiling a 4.1.something
> with those changes, I could as well use a more recent version of Samba
> directly (which would probably be less work).

We run Debian here and I'm in exactly the same position.

My choices have been to compile Samba locally and put in /opt or
to try and use 4.3.x from Debian experimental. Former works fine but
is just a bit messy (local init scripts really). Latter is
horrible in terms of package dependencies as it wants to upgrade
the whole system. Samba 4.3.x from experimental won't compile
cleanly on stable (build dependencies - official Samba releases
compile fine).

I hadn't thought of patching Debian's Samba version and building
packages of that - would actually be the cleanest way.

It's not as if Samba itself is being used really anyway. All we
want are winbind and libwbclient. If there's a critical Samba
vulnerability then the immediate fix is to update to latest Debian
Samba and drop back to ntlm_auth, then to patch and rebuild
locally at leisure.

FWIW, so far since upgrading our RADIUS server hardware in October
we haven't seen any issues with ntlm_auth... whether this is good
or bad, I'm not sure!

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Devel mailing list