Blog

Fast deployment, low maintenance requirements, easy upgrades, uncomplicated relocation - in short: effective time and cost savings. This is what characterizes the new SAMBA+ Container released by SerNet. SAMBA+ Container is now available for purchase via the SAMBA+ Shop, as a subscription for 1, 2 or even 3 years. 

SAMBA+ integrated in an Ubuntu container allows a quick and easy setup of a file server using the script "csmb". The file server can be used either as a standalone server (users are stored locally) or as a domain member server (as part of an existing domain). We provide more detailed documentation for SAMBA+ containers in our SAMBA+ How-to. 

The established SerNet subscription models with terms of 1, 2 or 3 years also facilitate both extensive testing and long-term planning. Of course, all updates available during the subscription period are included. 

Support from SerNet

SAMBA+ Container can be supplemented with support services by purchasing SAMBA+ support budgets or by signing a support contract. All inquiries regarding Samba, SAMBA+ and the SAMBA+ container, e.g. configuration, installation, planning or operation, are covered by SerNet support. Ask us – e.g. via contact@remove-this.sernet.com – we will be happy to help you. 

The future of SAMBA+ Container

The SerNet Samba team is already working on the further development of SAMBA+ containers. Printing services will soon be added to the Samba file server container, and a container for Active Directory Domain Controllers is also planned for release. Our team will be happy to keep you informed about development progress - just contact us. 

SAMBA+ packages are now available for AlmaLinux. SerNet's Team Samba currently offers SAMBA+ 4.14 and 4.13 for AlmaLinux 8. SAMBA+ 4.12 packages will follow.

A few months ago Red Hat announced that it would deliver CentOS only in the form of CentOS Stream and thus as a rolling release from the end of 2021. AlmaLinux from the provider CloudLinux OS is currently establishing itself as an alternative and is binary-compatible with Red Hat Enterprise Linux 8 (RHEL8) in version 8.3.

With the prompt roll-out of SAMBA+ packages for AlmaLinux, SerNet is responding to initial customer inquiries on this topic. The team always strives to be aware of customer wishes and requirements and to ensure fruitful cooperation. If you would like to contact us directly ­­– about AlmaLinux or other topics ­– please write to contact@remove-this.sernet.com.

For sambaXP 2021 Björn Jacke, longtime member of the international Samba Team and SerNet's AIX expert, has hosted a tutorial. We provide the recording of "Integrate SAMBA+ AIX in an existing AD domain" in our YouTube channel.

SAMBA+ AIX are SerNet’s Samba packages for IBM's AIX Unix operating system. The packages have minimal dependencies on third-party libraries or other external package sources – but come with a lot of advantages and support a lot of features. Please have a look at the basics on our SAMBA+ AIX information page. Also, our team will be happy to help with any questions or to get more in-depth technical details on SAMBA+ AIX. Get in contact with them via mail to contact@remove-this.sernet.com.

SAMBA+ now has its own YouTube channel. To kick things off, we offer two playlists: 

• sambaXP 2020: All presentations of our first digital sambaXP can be watched here. 
• Talks by SerNet colleagues: Numerous talks at various events have been recorded over the years. We have compiled them here. 

Videos of sambaXP 2021 will also be published by the Orga Committee on the new YouTube channel. In addition, more content on Samba and SAMBA+ is being planned. More recordings of past sambaXPs will also find their way to YouTube. Until then, all materials up to the first sambaXP in 2002 are accessible in our archive. 

The Samba team has informed about an issue that applies to Samba used as domain controller only (both as classic/NT4-style and active direcory DC). Please read the following text carefully, which we also publish here:

Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design.

Vendors supporting Samba 4.7 and below should patch their installations and packages to change this default, as values of:

• server schannel = no
• server schannel = auto

are NOT secure and we expect they can result in full domain compromise, particularly for AD domains.

Some public exploit tests, such as https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py only confirm that a ServerAuthenticate3 call operates, but not that the ServerPasswordSet2 call required to exploit the domain also operates.

We are well aware of administrator concern and are looking to provide patches that provide mitigation here, to make the ServerAuthenticate3 call also fail.

We, like Microsoft, suggest that 'server schannel = yes' must be set for secure operation. This is our equivalent to Microsoft's FullSecureChannelProtection=1 registry key, with the difference that it's already enabled by default in all Samba major versions released in the last three years.

Finally, we would note that Samba's audit logging will record ServerAuthenticate3 and ServerPasswordSet calls including the source IP, details will be provided later on the options to enable.

There seem to be some legacy software, which still requires "server schannel = auto". See the following bugs:

• https://bugzilla.samba.org/show_bug.cgi?id=11892
• https://bugzilla.samba.org/show_bug.cgi?id=13464
• https://bugzilla.samba.org/show_bug.cgi?id=13949

We'll add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts. Our progress can be monitored via this bug: https://bugzilla.samba.org/show_bug.cgi?id=14497