It was back in April when I posted the article here that SAMBA Update 4.2.10-6.el7_2 completely broke authentication with a Windows Active Directory domain controller, and in an emergency had to roll back to the previous version.   That blog post can be found here.  http://4.2.10-6.2.el7_2. It has been one of the most popular posts the last couple of months.

The update was released to fix the Badlock vulnerability, which could leave your servers open to man in the middle, or denial of service attacks.  The only problem was, that upon installation and restarting of the SAMBA services, domain users were unable to authenticate with their accounts.  After a few hours of trying to troubleshoot the issue, the only option available was to roll back to the previous version of SAMBA.  Not something to be taken lightly especially when a vulnerability patch is involved.

Surprisingly it took 2 months for the next SAMBA update to be released in the CentOS Repos.  I hear that Ubuntu had a fixed version almost immediately.  Something to think about when I think about putting my next Linux server online.  In fact with the version number being so similar I almost missed it, except I was actually physically looking at the REPO directories on a CentOS mirror and noticed the June 25th modified date.

I immediately fired up my development server, and did a YUM UPDATE, this is what was waiting for me.

samba                  x86_64        4.2.10-6.2.el7_2      updates          615 k
samba-client        x86_64        4.2.10-6.2.el7_2       updates          497 k
samba-client ibs  x86_64         4.2.10-6.2.el7_2       updates         4.3 M
samba-common  noarch          4.2.10-6.2.el7_2       updates         273 k
samba-common-libs  x86_64  4.2.10-6.2.el7_2       updates          157 k
samba-common-tools  x86_64 4.2.10-6.2.el7_2      updates          445 k
samba-libs                   x86_64 4.2.10-6.2.el7_2      updates          261 k
samba-winbind            x86_64 4.2.10-6.2.el7_2      updates          466 k
samba-winbind-clients x86_64 .2.10-6.2.el7_2       updates          120 k
samba-winbind-modules x86_64 4.2.10-6.2.el7_2  updates          106 k

After the update I rebooted the server (The update included a kernel patch), and did a simple wbinfo -u (Windbind list users)  I was happily rewarded with a list of my domain users!  The final test was switching to a domain user account with SU – (domainusername).  Again I was happily rewarded with a successful login.

On one hand I can happily say this issue has been fixed, but it does leave me with a somewhat bad taste in my mouth that it took this long to get a fix into the repository, when the same issue was affecting Ubuntu’s users and the patch was made available within weeks.  I understand the philosophy behind CentOS and it’s stability.  However leaving your users with a known vulnerability for months seems like a poor choice!

Anyway,  I am happy to report the issue as being resolved!, and I thank the people who came to Brent’s World after I reported the problem!

Be sure to register on our forums and join in our technical discussions.
www.catracing.org/forum