Blog

Play Video

"The way to modern Kerberos features" is the title of the sambaXP 2020 talk by Stefan Metzmacher. Metzmacher is part of Sernet's Team Samba and also a member of the international Samba Team.

Abstract

  • Using S4U2Self in winbindd
  • The limitations of existing kerberos libraries
  • The challenges of adding new features to kerberos libraries
  • Kerberos testing with plain python

(Slides as PDF)

About the "sambaXP 2020 Retrospective"

In this series we will present recordings of the sambaXP 2020 in the coming weeks. The 19th edition of the international conference on the open source software Samba took place from 26 - 28 May 2020 for the first time exclusively in digital form. Due to the changed event format and the use of an online conference platform, organizer SerNet is able to offer all talks as videos for viewing (link).


Michael Adam is in search for "A stage for Samba in the era of the container platform!?" in his sambaXP 2020 talk. Adam is a Adam is a longtime Samba team member and works as Senior Manager Software Engineering at Red Hat (LinkedIn).

Abstract

In recent times, container application platforms, in particular kubernetes, have become extremely popular, have for instance overtaken the virtual machine centric cloud operating system OpenStack in popularity. In contrast to virtual machine environments which run a variety of operating systems and therefore also have natural use cases for Samba, container platforms are usually running one operating system (kernel) only, and thus don’t offer a very obvious space for Samba, whose main purpose is to act as an agent between different operating systems. Is there still a stage for Samba in container land?

This presentation starts with an introduction to the storage concepts of kubernetes and the container storage interface standard CSI, which generalizes these to other container platforms. It will explain the roles of file, block, and object storage in kubernetes and then shows how a distributed software defined storage system like ceph or gluster is brought into kubernetes, running alongside the consuming applications and managed by so called “operators”, providing storage self service for the applications.

From here on, the presentation explores some very interesting and possibly surprising opportunities for Samba in this environment. Details are omitted in this abstract in order to keep up the suspense. (Slides as PDF)

About the "sambaXP 2020 Retrospective"

In this series we will present recordings of the sambaXP 2020 in the coming weeks. The 19th edition of the international conference on the open source software Samba took place from 26 - 28 May 2020 for the first time exclusively in digital form. Due to the changed event format and the use of an online conference platform, organizer SerNet is able to offer all talks as videos for viewing (link).


Alexander Bokovoy and Florence Blanc-Renaud (both RedHat) talk about "FreeIPA Global Catalog challenges" in this sambaXP 2020 talk. Bokovoy is a Samba team member since 2003 and FreeIPA core developer since 2011; Blanc-Renaud is a LDAP server technology engineer since 2007 and FreeIPA core developer since 2016.

Abstract

At sambaXP 2017, Alexander Bokovoy and Florence Blanc-Renaud reported an initial progress into making Global Catalog service available as a part of FreeIPA deployment. Three years later, Global Catalog in FreeIPA is becoming a reality. In this talk they demonstrate a working Global Catalog service and dive into challenges they faced in mapping FreeIPA to Active Directory world without being an Active Directory domain controller. FreeIPA's use of Samba services continues to exercise Samba infrastructure from a perspective not commonly experienced and well tested. Finally, semantic differences Bokovoy and Blanc-Renaud encountered across multiple protocols and their implementations in open source and proprietary products represent a good lesson in interoperability efforts. (Slides as PDF)

About the "sambaXP 2020 Retrospective"

In this series we will present recordings of the sambaXP 2020 in the coming weeks. These were selected by SerNet's "Team Samba". The 19th edition of the international conference on the open source software Samba took place from 26 - 28 May 2020 for the first time exclusively in digital form. Due to the changed event format and the use of an online conference platform, organizer SerNet is able to offer all talks as videos for viewing (link).


SAMBA+ 4.12.7, 4.11.13 and 4.10.18 packages have just been released by SerNet. These are important security releases addressing "ZeroLogon". Please update affected systems as soon as possible. The packages are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

The packages address the following issue:

The new SAMBA+ 4.12.7 packages do also address the following issue:

The sernet-samba rpm packages are signed with SerNet's gpg build key to guarantee authenticity. If you have installed the sernet-build-key-1.4-8 key package, the verification might fail due to an rpm issue. After installing the new version sernet-build-key-1.4-9, the issue needs to be fixed manually.

If you are affected, please first remove the SerNet Samba keys from the rpm keyring with the following command:
# rpm --allmatches -e gpg-pubkey-f4428b1a
# rpm --allmatches -e gpg-pubkey-1b6d0337

Afterwards use the following command to import the key into the rpm keyring:
# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-SerNet-Samba-Team-F4428B1A \
    /etc/pki/rpm-gpg/RPM-GPG-KEY-SerNet-Samba-Team-1B6D0337

SAMBA+ packages are available as software subscription. They can be purchased at the SAMBA+ shop, detailed information and prices are listed at https://shop.samba.plus. The subscriptions are managed at our platform OPOSSO (https://oposso.samba.plus). Users can activate their subscriptions here and manage access credentials. The new SAMBA+ packages are included in existing subscriptions.


The Samba team has informed about an issue that applies to Samba used as domain controller only (both as classic/NT4-style and active direcory DC). Please read the following text carefully, which we also publish here:

Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design.

Vendors supporting Samba 4.7 and below should patch their installations and packages to change this default, as values of:

  • server schannel = no
  • server schannel = auto

are NOT secure and we expect they can result in full domain compromise, particularly for AD domains.

Some public exploit tests, such as https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py only confirm that a ServerAuthenticate3 call operates, but not that the ServerPasswordSet2 call required to exploit the domain also operates.

We are well aware of administrator concern and are looking to provide patches that provide mitigation here, to make the ServerAuthenticate3 call also fail.

We, like Microsoft, suggest that 'server schannel = yes' must be set for secure operation. This is our equivalent to Microsoft's FullSecureChannelProtection=1 registry key, with the difference that it's already enabled by default in all Samba major versions released in the last three years.

Finally, we would note that Samba's audit logging will record ServerAuthenticate3 and ServerPasswordSet calls including the source IP, details will be provided later on the options to enable.

There seem to be some legacy software, which still requires "server schannel = auto". See the following bugs:

We'll add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts. Our progress can be monitored via this bug: https://bugzilla.samba.org/show_bug.cgi?id=14497


Contact us
Contact
Deutsch English Français