freeipa/install/updates/90-post_upgrade_plugins.update
Alexander Bokovoy 703497532a Support Samba 4.9
Samba 4.9 became a bit more strict about creating a local NT token and a
failure to resolve or create BUILTIN\Guests group will cause a rejection
of the connection for a successfully authenticated one.

Add a default mapping of the nobody group to BUILTIN\Guests.

BUILTIN\Guests is a special group SID that is added to the NT token for
authenticated users.

For real guests there is 'guest account' option in smb.conf which
defaults to 'nobody' user.

This was implicit behavior before as 'guest account = nobody' by
default would pick up 'nobody' group as well.

Fixes: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-09-26 11:40:19 +02:00

37 lines
1.0 KiB
Plaintext

# first
# middle
plugin: update_ca_topology
plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion
plugin: update_dnszones
plugin: update_dns_limits
plugin: update_sigden_extdom_broken_config
plugin: update_sids
plugin: update_default_range
plugin: update_default_trust_view
plugin: update_tdo_gidnumber
plugin: update_ca_renewal_master
plugin: update_idrange_type
plugin: update_pacs
plugin: update_service_principalalias
plugin: update_fix_duplicate_cacrt_in_ldap
plugin: update_upload_cacrt
# update_ra_cert_store has to be executed after update_ca_renewal_master
plugin: update_ra_cert_store
plugin: update_mapping_Guests_to_nobody
# last
# DNS version 1
plugin: update_master_to_dnsforwardzones
# DNS version 2
plugin: update_dnsforward_emptyzones
plugin: update_managed_post
plugin: update_managed_permissions
plugin: update_read_replication_agreements_permission
plugin: update_idrange_baserid
plugin: update_passync_privilege_update
plugin: update_dnsserver_configuration_into_ldap
plugin: update_ldap_server_list
plugin: update_dna_shared_config