Centrify for Samba (ADBindProxy) 5.7.0 Release Notes

© 2004-2020 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1.      About This Release. 1

2.      Package Contents. 2

3.      Supported Platforms. 2

4.      Feature Changes. 3

4.1.       Feature Changes in Centrify for Samba 5.7.0. 3

4.2.       Feature Changes in Centrify for Samba 5.6.1. 3

5.      Bugs Fixed. 4

5.1.       Bug Fixed in Centrify for Samba 5.7.0. 4

5.2.       Bug Fixed in Centrify for Samba 5.6.1. 4

6.      Getting Started. 4

7.      Known Issues. 6

8.      Additional Information and Support. 7

 

1. About This Release

Centrify for Samba is a proxy agent package that seamlessly integrates the Centrify DirectControl Agent for *NIX in Centrify Zero Trust Privilege Services (previously called Centrify Infrastructure Services, or Centrify Server Suite) with open source Samba (referred to as stock Samba in this document), enabling the two products to share Active Directory user and group membership and to agree upon Unix identity attributes for Active Directory users. It is a proxy that passes identity management requests from Samba to Centrify DirectControl Agent for *NIX.

The documentation, Samba Integration Guide (centrify-adbindproxy-guide.pdf), is available online to guide customers through the setup and configuration of Centrify for Samba in both new and existing environments.

The latest copies of this release notes as well as the above-mentioned documentation are available online at http://docs.centrify.com.

Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

2. Package Contents

The Centrify for Samba bundle package contains the following resources:

·           Centrify for Samba software package (e.g. CentrifyDC-adbindproxy-<version#>-<OS>.<architecture>.rpm, or similar platform specific package file)

·           Centrify for Samba Release Notes (Centrify-Adbindproxy-Release-Notes.html – this release notes)

3. Supported Platforms

The Centrify for Samba bundle package is available on the following OS/platforms in this release:

·         HPUX on Itanium

·         HPUX on PA-RISC

·         IBM AIX on PPC

·         Oracle Solaris on SPARC

·         Oracle Solaris on x86_64

·         Ubuntu on x86_64

·         Red Hat Enterprise Linux on PPC

·         Red Hat Enterprise Linux on PPC64LE

·         Red Hat Enterprise Linux on x86_64

·         SUSE Linux Enterprise Server on x86_64

 

Note: This is the last release to support HPUX platform for both Itanium and PA-RISC. (Ref: SAMBA-1090)

 

This Centrify for Samba release supports stock Samba version 4.10 to 4.13. You are strongly advised to apply the latest security patches from Samba first before deploying Centrify for Samba.

For the OS versions that a Centrify for Samba bundle package supports, please refer to the supported OS versions of the matching Centrify DirectControl Agent for *NIX package of the corresponding Centrify Zero Trust Privilege Services release. Similarly, Centrify for Samba also follows Centrify DirectControl Agent for *NIX’s schedule for End-of-Support platforms and hence please refer to the announcements there.

4. Feature Changes

4.1.  Feature Changes in Centrify for Samba 5.7.0

This release of DirectControl for Samba works with Centrify Server Suite Release 2020.

Note: It does not work with previous Centrify Server Suite releases, and previous versions of DirectControl for Samba do not work with Centrify Server Suite 2020 either, because of the underlying library changes. (Ref: SAMBA-1089)

This release now supports Oracle Solaris IPS package. (Ref: SAMBA-1088, CS-49238)

·         Note: On Solaris 11, all Centrify packages must be in the same format: either SVR4, or IPS, so that they can be migrated only altogether.

·         To migrate, the content of Centrify Adbindproxy bundle (centrify-adbindproxy-5.7.0-sol11-*.tgz) needs to be merged with content of the main release bundle (un-zipped into the same directory) and then regular SVR4 to IPS migration procedure can be executed.

Added a new review option (--test, -c) to adbindproxy.pl script. When the option is specified with the output filename, the script will generate a target Samba configuration file with the filename for review. This option is a review option and will not change anything. (Ref: SAMBA-998)

Added a new option (--noTestShare, -T) to adbindproxy.pl script not to create test folder "/samba-test" nor to generate [samba-test] share when updating the smb.conf file. (Ref: SAMBA-997)

4.2.  Feature Changes in Centrify for Samba 5.6.1

This release of Centrify for Samba works with Centrify Infrastructure Services 2017 and up.

This release is enhanced to support Samba 4.10 and 4.11 in which winbindd interface version 31 is used. (Ref: SAMBA-1076)

Added two new parameters to customize the thread pool of adbindd. (Ref: SAMBA-1071)

·         "adbindd.threads" sets the number of pre-allocated threads for processing client requests, and

·         "adbindd.threads.max" sets the maximum number of threads that the adbindd will allocate for processing client requests.

Added the support of systemd service manager. On Linux where stock Samba services are managed by systemd service manager, the centrifydc-samba service will be installed as a systemd service instead of System V init script. Please use the systemctl command to control the service in this case. (Ref: SAMBA-1075)

5. Bugs Fixed

5.1.  Bug Fixed in Centrify for Samba 5.7.0

·         Fixed a bug that adbindproxy.pl script fails to setup CentrifyDC Samba service properly if kset.trusts file is not there. (Ref: SAMBA-1087)

·         Fixed a bug that upgrade from CentrifyDC-adbindproxy version 5.5.2-5.6.1 on Linux platforms causes the removal of centrifydc-samba service and loss of Samba configuration. Note: this is still a problem on Debian/Ubuntu platforms as it is not fixable there. (Ref: SAMBA-1085)

5.2.  Bug Fixed in Centrify for Samba 5.6.1

·         Fixed a bug that randomly crashes adbindd. (Ref: SAMBA-1069)

·         Fixed a bug that fails to access samba share when the AD user’s samaccountname and unixname are different and "force user" option is defined. Note: All groups that this "force user" belongs to must be zone enabled for this to work. (Ref: SAMBA-1068)

·         Fixed a bug that samba share does not work if SELinux is enabled. Now adbindproxy set up script will prompt users to choose whether to grant smbd process access to non samba_share_t type files and directories if SELinux policy is detected. (Ref: SAMBA-1044)

6. Getting Started

·           Read the centrify-adbindproxy-guide.pdf that is included in this package.

 

·           The following is a summary of the steps to install and configure Centrify for Samba. Please refer to the instructions in centrify-adbindproxy-guide.pdf for details.

-    Preparation

-    If there is no Samba installed, install stock Samba first. Many Linux OS already include Samba.

-    If you are doing a fresh Centrify for Samba installation in an environment with stock Samba running, back up smb.conf just in case.

-    If you are upgrading from an existing Centrify Samba environment:

-    Back up your smb.conf.

-    Uninstall Centrify Samba.

-    Install stock Samba and make sure it works in your environment (Note that you will need to replace or merge the smb.conf from stock Samba with your back-up copy. This is especially important if you have file path settings in the original smb.conf).

-    Install and configure Centrify for Samba

-    Install Centrify DirectControl Agent for *NIX if you have not already done it.

-    Install Centrify for Samba package.

-    If you are using Centrify DirectControl Agent for *NIX from Centrify Server Suite 2016 on a Redhat 7.x platform, you need to do these extra steps:

-    Open a command terminal and run the following commands:

vi /etc/centrifydc/scripts/functions.cdc

-    Comment out the two lines containing LD_LIBRARY_PATH, e.g.

-    # LD_LIBRARY_PATH=/usr/share/centrifydc/lib64:/user/share/centrifydc/kerberos/lib64:$LD_LIBRARY_PATH

-    # export LD_LIBRARY_PATH

-    Save the file with the changes

-    Modify the symbolic link of adkeytab utility

-    cd /sbin

-    ls –l adkeytab

-    rm adkeytab

-    ln –s /usr/share/centrifydc/libexec/adkeytab /sbin/adkeytab

-    Join the machine to a zone using adjoin.

-    Run adbindproxy.pl to configure the proxy environment.

-    Additional steps

-    If you have customized any existing smb.conf settings, verify that the new smb.conf still have all the relevant settings.

-    Restart stock Samba and Centrify for Samba by running either one of the following commands

-    /etc/init.d/centrifydc-samba restart

-    service centrifydc-samba restart

-    You may want to ensure stock samba’s sbin and bin paths have been set in PATH environment variables

7. Known Issues

The following sections describe common known issues or limitations associated with this Centrify for Samba release.

·           Limitations with stock Samba

 

In previous Centrify Samba, we modified the following in stock Samba for interoperability. Using stock Samba instead of Centrify Samba, you may see related issues.

-    Default Kerberos keytab location, KEYTAB_DEFAULT, from /etc/krb5.keytab to /etc/krb5/krb5.keytab on Solaris (SAMBA-890).

-    Default Kerberos cache location, CCNAME, from /tmp/krb5cc_%{uid} to /var/krb5/security/creds/krb5cc_%{uid}" on AIX (SAMBA-892).

 

·           Limitations with RHEL 7.2 PPC (SAMBA-965)

 

If you are using 64bit Samba on a RHEL 7.2 PPC machine, you may have problem with adclient failed to use the 64bit tdb library come with 64 bit Samba. The symptom can be shown in the error message while trying to access samba server - “session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO”.

You need to install a 32bit tdb library, e.g. libtdb-1.3.6-2.el7.ppc.rpm in rhel-server-7.2-ppc64-dvd.iso, for adclient to work with, and you need to tell adclient where to get this library by adding a parameter “samba.libtdb.path: /usr/lib/libtdb.so.1” into centrifydc.conf, assuming the path to libtdb is /usr/lib/libtdb.so.1.

 

·           Limitations with AIX7.1 (SAMBA-966)

 

If you are using Centrify for Samba with stock Samba and Centrify Server Suite 2014 or 2013.3 on an AIX machine, it may not work well due to library problem. The symptom can be shown in the error message while trying to access samba server - “session setup failed: NT_STATUS_NO_LOGON_SERVERS”.

You may try the following changes on Samba tools, e.g. smbd, smbstatus and testparm, to get around it:

-    mv /usr/local/samba/sbin/smbd /usr/local/samba/sbin/smbd.x

-    vi /usr/local/samba/sbin/smbd

#! /bin/sh

unset _ LD_LIBRARY_PATH

unset _ LD_PRELOAD

LIBPATH=/usr/local/samba/lib:/usr/local/samba/lib/private

export LIBPATH

exec /usr/local/samba/sbin/smbd.x "$@"

8. Additional Information and Support

In addition to the documentation provided for this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

http://www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify for Samba, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.