SAMBA+ 4.15.2, 4.14.10 and 4.13.14 have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.
The packages address the following issues:
- CVE-2020-25717: A user in an AD Domain could become root on domain members.
- CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC.
- CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.
- CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).
- CVE-2020-25722: Samba AD DC did not do sufficient access and conformance checking of data stored.
- CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication.
- CVE-2021-3738: Use after free in Samba AD DC RPC server.
- CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
This releases involve some behaviour changes which might break existing setups. Additional configuration changes might be required.
A new smb.conf parameter "min domain uid" (default 1000) has been added. By default no UNIX uid below this value will be accepted. Please check your ID-Mapping configuration.
The fallback from 'DOMAIN\user' to just 'user' has also been removed, as it dangerous and not needed when nss_winbind is used (even when 'winbind use default domain = yes' is set).
However there are setups which are joined to an Active Directory domain just for authentication, but the authorization is handled without nss_winbind by mapping the domain account to a local user provided by nss_file, nss_ldap or something similar. NOTE: These setups won't work anymore without explicitly mapping the users!
For these setups administrators need to use the 'username map' or 'username map script' option in order to map domain users explicitly to local users, e.g. user = DOMAIN\user
Please consult the 'man 5 smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above example '\' refers to the default value of the 'winbind separator' option.
There is a regression with the "allow trusted domains = no" smb.conf option. It prevents the winbind service from starting. We'll provide a follow up fix as soon as possible.
Additionally the 4.15.2 packages address the following issues:
- Bug 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
- Bug 14846: Fix -k legacy option for client tools like smbclient, rpcclient, net, etc.
- Bug 14882: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process.
SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.