I'm trying to address the recently disclosed BadLock Samba vulnerability on my Centrify Express servers that are running the Centrify supplied Samba 3.6.x packages. So I downloaded the new CentrifyDC-adbindproxy 5.3.0 package that is meant to allow the use of OS vendor supplied Samba 4.x packages instead of the previous Centrify Samba 3.6.x packages. All my CentOS servers are fully patched and are running Centrify Express 2016.
I followed the directions included in the downloaded package but ran into numerous problems. First it's not entirely clear exactly which specific Samba packages are required. I found that at a minimum running "yum install samba4 samba4-winbind" seemed to satisfy the requirements. After I installed the CentOS supplied Samba 4 packages, I installed/upgraded the CentrifyDC-adbindproxy package to version 5.3.0 and ran /usr/share/centrifydc/bin/adbindproxy. The problem I immediately ran into was the previous shared folders were not available to users. Active Directory attached Windows clients would be challenged for the login/password credentials. When entered, user credentials were rejected. Here's a typical share definition that I use:
[data]
comment = Data Directory
path = /data
valid users = @DOMAIN\group, @DOMAIN\group1
read only = No
force create mode = 0664
force directory mode = 0775
If I comment out the "valid users" line, users can map a network drive and are not challenged for their AD credentials. However, the share is in a read-only mode despite the fact the POSIX permissions and AD ACL's are correct.
Has anyone else run into this problem? I am missing something? I realize that I am using the Express version and that this is one of those "you get what you pay for" propositions. Any help would be greatly appreciated.
Andrew