Blog

The Samba team has informed about an issue that applies to Samba used as domain controller only (both as classic/NT4-style and active direcory DC). Please read the following text carefully, which we also publish here:

Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design.

Vendors supporting Samba 4.7 and below should patch their installations and packages to change this default, as values of:

• server schannel = no
• server schannel = auto

are NOT secure and we expect they can result in full domain compromise, particularly for AD domains.

Some public exploit tests, such as https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py only confirm that a ServerAuthenticate3 call operates, but not that the ServerPasswordSet2 call required to exploit the domain also operates.

We are well aware of administrator concern and are looking to provide patches that provide mitigation here, to make the ServerAuthenticate3 call also fail.

We, like Microsoft, suggest that 'server schannel = yes' must be set for secure operation. This is our equivalent to Microsoft's FullSecureChannelProtection=1 registry key, with the difference that it's already enabled by default in all Samba major versions released in the last three years.

Finally, we would note that Samba's audit logging will record ServerAuthenticate3 and ServerPasswordSet calls including the source IP, details will be provided later on the options to enable.

There seem to be some legacy software, which still requires "server schannel = auto". See the following bugs:

• https://bugzilla.samba.org/show_bug.cgi?id=11892
• https://bugzilla.samba.org/show_bug.cgi?id=13464
• https://bugzilla.samba.org/show_bug.cgi?id=13949

We'll add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts. Our progress can be monitored via this bug: https://bugzilla.samba.org/show_bug.cgi?id=14497

The SAMBA+ News are now also available via RSS feed. The URL to the feed is https://samba.plus/feed.rss .

In the News, SerNet's Samba Team regularly provides information on current versions, security updates, events such as sambaXP, etc. They are also a good source for Samba admins to keep up to date.

Alternatively, the SAMBA+ Newsletter is also available.

samba.plus and the SAMBA+ shop shop are now available in French. SerNet would like to do justice to the great interest that SAMBA+ arouses among French-speaking countries.

Please note: Communication with our team and support of SAMBA+ will continue to be in English and German respectively.

samba.plus et la shop SAMBA+ sont désormais disponibles en français. SerNet tient à rendre justice au grand intérêt que suscite SAMBA+ auprès des pays francophones.

Veuillez noter: La communication avec notre équipe et le soutien à SAMBA+ continueront à se faire respectivement en anglais et en allemand.

SerNet is expanding the range of defined budgets that can be purchased directly via the SAMBA+ Shop: The Support Budget XL with a scope of 50 service hours now complements the SAMBA+ portfolio. The contingents can be used directly after purchase – customers can thus benefit quickly and easily from SerNet's accumulated Samba know-how.

The Support Budget XL with 50 hours of services already includes a discount of 5% on SerNet's normal hourly rates. Up to four of these contingents can be purchased at once, which corresponds to 200 hours or 5 work weeks. This is ideal for more extensive projects!

The smallest time unit for a request is a quarter of an hour. Monthly account statements as well as a final statement guarantee a transparent overview. Further details on budgets are available on the SAMBA+ website or in the SAMBA+ Shop.

In a news article published by SerNet we inform about our current status regarding the COVID19 pandemic. We update the article regularly if there are any new developments. We want to keep our customers and partners informed in a transparent manner.