57369 – UCS 5-0-x still uses legacy nmbd, even as Active Directory DC

Bug 57369 - UCS 5-0-x still uses legacy nmbd, even as Active Directory DC

Summary: UCS 5-0-x still uses legacy nmbd, even as Active Directory DC

Status:	NEW

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-05-30 11:45 CEST by Arvid Requate
Modified:	2024-06-27 11:35 CEST (History)
CC List:	0 users

See Also:	53243 52455 44138
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2024-05-30 11:45:47 CEST

UCS 5-0-x still uses classic nmbd, even as Active Directory DC. Initially we did this, to allow Windows clients to see the network environment in Windows Explorer network neighborhood. But the following points make me reconsider our approach:

* we see Bug 53243, i.e. the intended benefit is not delivered
* Modern Windows clients have network browsing disabled by default
* UCS goes a "special way", different from Samba team by running the legacy "nmbd" daemon "standalone" instead of using the more modern "nmb" service that is managed by samba
* There are strange log messages by nmbd having problems with browsing the domain

I propose stopping to use "nmbd" and switch to the upstream service architecture here. This would improve the security posture of the product IMHO.

Note: there's also Bug 52455.