Blog

SAMBA+ 4.12.7, 4.11.13 and 4.10.18 packages have just been released by SerNet. These are important security releases addressing "ZeroLogon". Please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

The packages address the following issue:

• CVE-2020-1472 Unauthenticated domain takeover via netlogon ("ZeroLogon")
  An unauthenticated attacker on the network can gain administrator access by exploiting a netlogon protocol flaw.
  https://www.samba.org/samba/security/CVE-2020-1472.html

The new SAMBA+ 4.12.7 packages do also address the following issue:

• Bug 14399 Server RAM filling up when writing to share from macOS
  https://bugzilla.samba.org/show_bug.cgi?id=14399

The sernet-samba rpm packages are signed with SerNet's gpg build key to guarantee authenticity. If you have installed the sernet-build-key-1.4-8 key package, the verification might fail due to an rpm issue. After installing the new version sernet-build-key-1.4-9, the issue needs to be fixed manually.

If you are affected, please first remove the SerNet Samba keys from the rpm keyring with the following command:
# rpm --allmatches -e gpg-pubkey-f4428b1a
# rpm --allmatches -e gpg-pubkey-1b6d0337

Afterwards use the following command to import the key into the rpm keyring:
# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-SerNet-Samba-Team-F4428B1A \
    /etc/pki/rpm-gpg/RPM-GPG-KEY-SerNet-Samba-Team-1B6D0337

SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.

The Samba team has informed about an issue that applies to Samba used as domain controller only (both as classic/NT4-style and active direcory DC). Please read the following text carefully, which we also publish here:

Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design.

Vendors supporting Samba 4.7 and below should patch their installations and packages to change this default, as values of:

• server schannel = no
• server schannel = auto

are NOT secure and we expect they can result in full domain compromise, particularly for AD domains.

Some public exploit tests, such as https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py only confirm that a ServerAuthenticate3 call operates, but not that the ServerPasswordSet2 call required to exploit the domain also operates.

We are well aware of administrator concern and are looking to provide patches that provide mitigation here, to make the ServerAuthenticate3 call also fail.

We, like Microsoft, suggest that 'server schannel = yes' must be set for secure operation. This is our equivalent to Microsoft's FullSecureChannelProtection=1 registry key, with the difference that it's already enabled by default in all Samba major versions released in the last three years.

Finally, we would note that Samba's audit logging will record ServerAuthenticate3 and ServerPasswordSet calls including the source IP, details will be provided later on the options to enable.

There seem to be some legacy software, which still requires "server schannel = auto". See the following bugs:

• https://bugzilla.samba.org/show_bug.cgi?id=11892
• https://bugzilla.samba.org/show_bug.cgi?id=13464
• https://bugzilla.samba.org/show_bug.cgi?id=13949

We'll add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts. Our progress can be monitored via this bug: https://bugzilla.samba.org/show_bug.cgi?id=14497

This year's Storage Developer Conference (September 22-23, 2020) will be a virtual event. Volker Ledecke and Stefan Metzmacher have already pre-recorderd talks for the SMB agenda track.

Volker Lendecke will address "Samba locking architecture". Lendecke is SerNet co-founder, developer and long-time Samba Team member. 

Stefan Metzmacher's topic will be "Samba Multi-Channel/io_uring Status Update". He works as developer at SerNet and is a member of the Samba-Team as well. 

Both talks will be available in the "Day 1 Breakout Sessions" starting at 11:20am PDT (20:20 Uhr CEST). Registration for SDC 2020 is still possible.

Christof Schmitt talks about "Lessons learned from using Samba in IBM Spectrum Scale" in this sambaXP 2020 talk. He is a member of the international Samba team since 2013 and works as Software Engineer Spectrum Scale for IBM in Tucson, Arizona (LinkedIn).

Abstract

IBM Spectrum Scale is a software defined storage offering of a clustered file system bundled together with other services. Samba is included as part of the product to provide a clustered SMB file server and integration into Active Directory. This talk discusses from a development point of view the integration of Samba into a storage product and what the development team has learned over the years. Topics include the requirement for automated testing on multiple levels and the collaboration with the upstream Samba project. Examples illustrate problems encountered over time and how they have been solved. Further topics are challenges that have been solved and gaps that have been seen with the usage of Samba.

About the "sambaXP 2020 Retrospective"

In this series we will present recordings of the sambaXP 2020 in the coming weeks. These were selected by SerNet's "Team Samba". The 19th edition of the international conference on the open source software Samba took place from 26 - 28 May 2020 for the first time exclusively in digital form. Due to the changed event format and the use of an online conference platform, organizer SerNet is able to offer all talks as videos for viewing (link).

In this sambaXP 2020 talk Ingo Meents presents use cases and requirements of Enterprise customers for Samba Files Server in IBM Spectrum Scale. Meents is Protocol Tribe Lead at IBM Germany Research & Development GmbH. 

Abstract

IBM has deployed Samba as part of file storage solutions for many years now. The current product of IBM is called Spectrum Scale and it delivers clustered Samba to a world-wide base of Enterprise customers on top of IBM's clustered file system known as gpfs.

The first part of the talk describes selected requirements, use cases and enhancements this mission has been driving over the last years. This includes topics like file contention, access control lists, and Mac support.

The second part of the talk addresses the new challenging requirements with respect to identity mapping like the server side group resolution for NFS clients and the increasing demand to add sssd to the clustered Samba server nodes.

About the "sambaXP 2020 Retrospective"

In this series we will present recordings of the sambaXP 2020 in the coming weeks. These were selected by SerNet's "Team Samba". The 19th edition of the international conference on the open source software Samba took place from 26 - 28 May 2020 for the first time exclusively in digital form. Due to the changed event format and the use of an online conference platform, organizer SerNet is able to offer all talks as videos for viewing (link).