The Samba team at SerNet GmbH has reached the first milestone (1/17) in its project funded by Sovereign Tech Agency. This milestone focuses on strengthening the security of the MS-NRPC component and hardening Netlogon communication, addressing critical requirements in upcoming Windows versions. By transitioning domain controller communication and client-controller interactions to Kerberos-based authentication, the Samba team is ensuring enhanced security and interoperability. This work has been made possible through funding secured by SerNet and funds assigned by the Sovereign Tech Agency (STA, formerly known as Sovereign Tech Fund).
The Samba development team has successfully implemented and published the following improvements and optimizations:
- DCE/RPC client improvements, add support for security context multiplexing
- winbindd optimizations for connecting to domain controllers
- Fix handling of invalid bind packets in the DCE/RPC server
- Implement NetrGetLogonCapabilities QueryLevel 2
- gsskrb5 enhancements: GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG as acceptor
- Implementation of netr_ServerAuthenticateKerberos in client and server: Preparation, Server Support, Client Support
The implemented security enhancements will be available in the public Samba software repositories, ensuring that all users of Samba benefit from the ongoing development work. This milestone represents not only a technical achievement but also a commitment to the open-source community, made possible through SerNet’s efforts in securing funding and providing development leadership.
For further information about the project, have a look at the project overview. The Samba STA project is an initiative to enhance the functionality, security, and scalability of Samba, a critical open-source software for interoperability and identity access management in mixed-OS environments. The project, funded by the STA, focuses on completing 17 milestones over 18 months, covering areas such as modern security protocols, failover functionality, and UNIX extensions. Development results are continuously made publicly available.
