Blog

SAMBA+ 4.15.2, 4.14.10 and 4.13.14 have just been released by SerNet. These are important security releases, please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

The packages address the following issues:

  • CVE-2020-25717: A user in an AD Domain could become root on domain members.
  • CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC.
  • CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.
  • CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).
  • CVE-2020-25722: Samba AD DC did not do sufficient access and conformance checking of data stored. 
  • CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication.
  • CVE-2021-3738: Use after free in Samba AD DC RPC server.
  • CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.

IMPORTANT NOTES:

This releases involve some behaviour changes which might break existing setups. Additional configuration changes might be required.

A new smb.conf parameter "min domain uid" (default 1000) has been added. By default no UNIX uid below this value will be accepted. Please check your ID-Mapping configuration.

The fallback from 'DOMAIN\user' to just 'user' has also been removed, as it dangerous and not needed when nss_winbind is used (even when 'winbind use default domain = yes' is set).

However there are setups which are joined to an Active Directory domain just for authentication, but the authorization is handled without nss_winbind by mapping the domain account to a local user provided by nss_file, nss_ldap or something similar. NOTE: These setups won't work anymore without explicitly mapping the users!

For these setups administrators need to use the 'username map' or 'username map script' option in order to map domain users explicitly to local users, e.g. user = DOMAIN\user

Please consult the 'man 5 smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above example '\' refers to the default value of the 'winbind separator' option.

There is a regression with the "allow trusted domains = no" smb.conf option. It prevents the winbind service from starting. We'll provide a follow up fix as soon as possible.

Additionally the 4.15.2 packages address the following issues:

  • Bug 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call. 
  • Bug 14846: Fix -k legacy option for client tools like smbclient, rpcclient, net, etc. 
  • Bug 14882: smbXsrv_client_global record validation leads to crash if existing record points at non-existing process.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.


ksmbd vs. Samba

"ksmbd" is a new Linux kernel module which implements an SMB server. It's aimed at being low overhead, low footprint, performant fileserver covering many basic usecases, running on smaller devices with limited resources being the most apparent one: OpenWRT, the Linux distribution for embedded devices, adopted ksmbd already 18 months ago while ksmbd was still being developed.

ksmbd hit the public in November 2021 as part of the next Linux kernel version 5.15. It is not meant to replace the existing Samba fileserver "smbd", but rather be an extension and will integrate with Samba in the future. Samba's fileserver smbd is much broader in scope and supports various usecases and features that ksmbd does not:

  • Running as a Active Directory domain member
  • Scale-out clustering
  • Optimize for specific filesystems like GlusterFS or Ceph via dedicated VFS modules
  • Shadow Copy support

While being a mostly feature complete SMB3 server, lacking only some advanced features like Durable Handles, Directory Leases and Multi-Channel, ksmbd currently can only make use of local users and passwords which precludes use in corporate environments where typically Active Directory or similar identity sources are used.

ksmbd claims performance improvements on a wide range of benchmarks: the graphs on this page show a doubling of performance on some tests. There was also the notion that an in-kernel server is likely an easier place to support SMB Direct, which uses RDMA to transfer data between systems.

Clearly, those numbers are impressive, but at the same time recent improvements in Samba's IO performance put this into perspective: by leveraging the new “io_uring” Linux API Samba is able to provide roughly 10x the throughput compared to ksmbd.

Time will tell whether it's better to reside in kernel-space like ksmbd or in user-space like Samba in order to squeeze the last bit of performance out of the available hardware.

How mature is ksmbd? Given that its was primarily developed by a Samsung engineer, it is likely that it is being used in Samsung products today. However, the November release is a .0 release with all caveats that come with it. Some of the details, including various security issues that were found and fixed quite late in the game, are described in an article over at LWN.

All in all, ksmbd is an impressive work and in order to facilitate and encourage collaboration, the main ksmbd developer Namjae Jeon has been invited to join the international Samba team. ksmbd already adds interesting capabilities to the mix and the SerNet Samba team is looking forward to working with and on ksmbd!


SAMBA+ 4.13.13 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:

This release also fixes a security problem related to Kerberos authentication. As usual, we recommended to update to the latest bugfix release of the major version branch that you use.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.


Technical milestones and improvements for Samba on the horizon

This two-part article focuses on the strengths and advantages that make Samba unique. While part one took a look at some of the organizational, technical, and conceptual issues that are often discussed, this second part discusses technical milestones and improvements on the horizon, highlighting key Samba contributions still being worked on by the SerNet Samba Team members Volker Lendecke, Stefan Metzmacher and Ralph Böhme.

Robust and scalable – Multichannel Support for high performance
Sometimes Samba is criticised for "low concurrent connections / low concurrent opens". Because of the multiprocess model, which is more robust than a single-process multithreaded server model, Samba has higher RAM requirements than possibly other solutions. This is more relevant for the embedded SOHO router market than for enterprise storage solutions and to help the former the next Samba version will ship with a rewritten RPC-Server written by Volker Lendecke which results in a much smaller memory footprint.

SMB3 Multichannel support in Samba has been available since version 4.15 released in September 2021. The SerNet Samba team can provide stable backports to 4.12, 4.13 and 4.14 as we already have (and use) them in SAMBA+ 4.14 and custom packages.

Improving IO performance
Samba's IO performance is limited by the frequent data buffer copies done in the kernel for servicing Samba user space IO requests, resulting in high CPU usage and a CPU bound performance limit. This is an architectural limitation deeply rooted in the UNIX design. Two years ago a modern Linux API called “io_uring” has been added to Linux that allows user space applications like Samba to achieve zero-copy zero-syscall IO for the full IO path from disk to network. 

Recently, research on Samba performance improvements had been sponsored, and a Samba prototype was developed leveraging “io_uring”. We were able to improve IO performance drastically from 4 GBytes/s on a given hardware to 10 GB/s, the line speed of the 100 GBit/s adapter, with a significantly reduced CPU load of only 25%. Further testing using the loopback interface saw the throughput max out at up to 30 GB/s, the bottleneck being the clients used in testing (smbclient), not the server.

For more details see the discussion on the Samba list or the SDC 2021 presentation "Samba Multi-Channel/io_uring Status Update" from Stefan Metzmacher.

It would only take a few weeks of work to integrate the prototype into mainline Samba. Companies interested in this feature, please contact us to possibly join the list of companies sponsoring Samba development!

Samba supports Enterprise features
When it comes to clustering, you will get an "enterprise ready" SMB cluster from Samba. It supports scale-out active/active clustering and has been used for many years along with industry-leading clustered enterprise file systems like GPFS. Samba has plans to support “SMB Transparent Failover” and Ralph Böhme gave a talk at the SNIA SDC in 2018 on Persistent Handles in Samba. Again, companies interested in this feature, please contact us to possibly join the list of companies sponsoring Samba development!

ksmbd
Starting with Linux kernel 5.15, Linux will ship an in-kernel SMB server called “ksmbd”. ksmbd and Samba plan to work closely together in the future, and the main developer of ksmbd is as of recently also a member of the international Samba Team. Both projects will work hand in hand to combine ksmbd’s in-kernel SMB engine with Samba's user space daemons and tools. For a brief introduction, see the presentation from sambaXP 2019 (Slides) or the status update from sambaXP 2021(Slides).

Do you still have questions? Or would you like to talk to us about using Samba / SAMBA+? Then please feel free to contact us.


SAMBA+ 4.15.1 and 4.14.9 have just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:

This release also fixes a security problem related to Kerberos authentication. As usual, we recommended to update to the latest bugfix release of the major version branch that you use.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.


Contact us
Contact
Deutsch English Français