Blog

SAMBA+ 4.13.16 has just been released. This is a security release that addresses CVE-2021-43566. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

All versions of the Samba file server prior to 4.15.0 are affected by CVE-2021-20316. Samba versions prior to 4.15.0 cannot be patched.

• CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share.
  https://www.samba.org/samba/security/CVE-2021-43566.html
• CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share.
  https://www.samba.org/samba/security/CVE-2021-20316.html

Please update affected systems as soon as possible. If possible upgrade to SAMBA+ 4.15, otherwise consult the release notes for possible mitigations for CVE-2021-20316.

SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

The Samba Team at SerNet published SAMBA+ 4.14.11 and 4.13.15. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:

•   https://www.samba.org/samba/history/samba-4.14.11.html
•   https://www.samba.org/samba/history/samba-4.13.15.html

Please note that the 'username map [script]' workaround, which was required for some setups after the release of 4.14.10 and 4.13.14
(CVE-2020-25717), is not required anymore. Detailed information is included in the CVE-2020-25717 announcement.

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

SAMBA+ 4.15.3 has just been released by SerNet. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are
available now.

These packages address several issues, which are listed in the Samba 4.15.3 release notes.

Please note that the 'username map [script]' workaround, which was required for some setups after the release of 4.15.2 (CVE-2020-25717), is not required since the SAMBA+ 4.15.2-7 releases (deb and rpm packages) anymore. Detailed information is included in the CVE-2020-25717 announcement: 

Additionally the new 4.15.3 packages address the following issues:

•   Bug 12449: Avoid recursion in the windows dns admin gui
•   Bug 14927: sysvolcheck and sysvolreset don't handle deny ACEs

SAMBA+ packages and all later versions are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

Update: Due to the ongoing Corona pandemic, the organising committee has decided to host the sambaXP 2022 again as a virtual event.

The call for papers for the 21st sambaXP has officially started! SerNet will host the annual meeting of the international samba community from May 31st to June 2nd 2022 at Hotel Freizeit In in Göttingen, Germany. Early Bird tickets for the conference are already available. Ticket bookings and more information about the CfP here: sambaxp.org.

Tickets for the conference (June 1 & 2, 2022) are available until February 28, 2022 at the early bird price of 399 Euro. After that, the regular price is 499 Euros. In addition, tutorials are being planned for May 31, about which we will provide information at a later date.  

As it stands now, the plan is for the conference to be held on-site again. The entire SerNet and Samba@SerNet team is looking forward to seeing everyone again in Göttingen. Nevertheless, we are continuously monitoring the situation and will re-decide if necessary depending on current developments.

Recordings from the 2021 Storage Developer Conference (SDC)  are now online, including those from the SerNet Samba Team. Ralph Böhme talked about "The new Samba VFS" and Stefan Metzmacher presented an Status Update on "Samba Multi-Channel/io_uring".

"The new Samba VFS" video by Ralph Böhme is on YouTube: https://youtu.be/D9EZO3gkT9U, also available are the slides.

Abstract: Starting with version 4.14 Samba provides core infrastructure code that allows basing all access to the server's filesystem on file handles and not on paths. An example of this is using fstat() instead of stat(), or SMB_VFS_FSTAT() instead of SMB_VFS_STAT() in Samba parlance. Historically Samba's fileserver code had to deal a lot with processing path based SMB requests. While the SMB protocol itself has been streamlined to be purely handle based starting with SMB2, large parts of infrastructure code remains in place that will "degrade" handle based SMB2 requests to path based filesystem access. In order to fully leverage the handle based nature of the SMB2 protocol we came up with a straight forward way to convert this infrastructure code, so it can be converted to make use of a purely handle based VFS interface. The talk presents what we have achieved so far and what is left to do. It's intended audience is anyone working on the Samba fileserver code and anyone working on Samba VFS modules.

The "Samba Multi-Channel/io_uring Status Update" by Stefan Metzmacher is also on YouTube: https://youtu.be/fnA4imgBsUo, slides are available.

Abstract: Samba had experimental support for multi-channel for quite a while. SMB3 has a few concepts to replay requests safely. We now implement them completely (and in parts better than a Windows Server). The talk will explain how we implemented the missing features. With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle. This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists and shows excellent results.