Blog

Volker Lendecke, long-standing Samba core team member and SerNet co-founder, presents "SMB for Linux with SMB3 POSIX extensions" at FOSDEM 2024 in Brussels. He will discuss the advancements in the SMB3 protocol and its impact on Linux network file sharing. The session is scheduled for Saturday, February 3rd, in room K.3.201 at 4:05 p.m. (CET). An option to join in remotely will be available. 

This talk will delve into how SMB3 POSIX extensions make SMB an alternative to NFS with all semantics that Linux clients expect. Lendecke will offer insights into both current functionalities and future developments. 

FOSDEM 2024 is a key event in the open source community, renowned for bringing together developers and enthusiasts from around the world. This free event, organized by volunteers, focuses on the promotion and use of free and open source software, making it an essential platform for learning, sharing, and networking within the open source ecosystem. 

The 23rd sambaXP will take place on April 17 and 18, 2024. This year, the conference will be held remotely via Zoom. The international Samba team and other users and vendors will meet here to discuss the latest developments and innovations in the world of SAMBA. Organizer SerNet is looking forward to an exciting conference and an insightful exchange with developers, users and vendors.

Call for Papers
The call for papers has already started. The organizing committee welcomes proposals for presentations on various SAMBA topics, such as development, deployment, security, performance optimization and integration with other technologies. Submit your presentation now at https://sambaxp.org!

Workshops on April 16, 2024
Traditionally, there will also be several workshops this year. The topics will be announced in January 2024. Like the conference, the workshops will take place remotely via Zoom.

Tickets
Participation in the conference is free of charge. Only registration at https://sambaxp.org is required.

Curious about which presentations were on the agenda at the last sambaXP? Then take a look at the YouTube playlist of sambaXP 2023.

"Backup of Windows AD and how to migrate it to Samba" was presented by Björn Jacke and Volker Lendecke on December 7, 2023 in the auditorium of the Jacob-und-Wilhelm-Grimm-Zentrum at Humboldt-Universität zu Berlin. The two long-standing members of the Samba team at SerNet and the Samba Core Team contributed the talk to the Adminstammtisch Berlin event series.

The – German only – talk offers the opportunity to benefit from extensive knowledge of migrating and securing Windows Active Directory to Samba: Most Active Directory installations are Windows-based. Samba allows such an AD installation to be backed up using Unix means and the backup then made to run with a Samba DC. This can be useful not only for backups but also for a Windows to Samba migration, which Jacke and Lendecke demonstrated. A recording is available.

They also gave valuable insights into Samba and the SAMBA+ software packages offered by SerNet for various Linux distributions and IBM AIX. The Adminstammtisch Berlin is organized by and for IT professionals who are committed to sharing knowledge and experience and discussing current IT topics.

SAMBA+ 4.19.3-5 and SAMBA+ 4.18.9-9 have just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

Please see the release history here:

• https://www.samba.org/samba/history/samba-4.19.3.html
• https://www.samba.org/samba/history/samba-4.18.9.html

The fix for CVE-2018-14628, which is now part of the upstream 4.19.3 and 4.18.9 releases was already fixed in SAMBA+ 4.19.2 and SAMBA+ 4.18.8. For completeness we describe once more how to apply the actual fix for the AD database. If you did that already along with the previous SAMBA+ update, then you don't have to do the following steps again.

Action required in order to resolve CVE-2018-14628

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' 

The change should be confirmed with 'y' for all objects starting with

'CN=Deleted Objects'.

SAMBA+ 4.19.2-4 has just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

https://www.samba.org/samba/history/samba-4.19.2.html

In addition to the fixed from the release notes above SAMBA+ contains also 2 additional notable fixes:

A fix for Kerboros User2User TGS-REQ, which may prevent users to retrieve tickets for themselves in certain conditions: https://bugzilla.samba.org/show_bug.cgi?id=15492

Even more important is the second additional change, which fixes the permission of the deleted objects container (CVE-2018-14628). It is however required to run a command to fix the permission, because the ACLs on the container will not be changed automatically. What you will have to do to fix the permission is this:

==================================================
Action required in order to resolve CVE-2018-14628
==================================================

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'.

The next updates of the 4.17 and 4.18 SAMBA+ packages will also address CVE-2018-14628.

SAMBA+ packages are available as software subscriptions and can be purchased in the SAMBA+ shop. Detailed information and prices can be found at https://usdshop.samba.plus (currency: USD) or https://shop.samba.plus (currency: EUR). The new SAMBA+ packages are included in the existing subscriptions. If you have any further questions or would like to request a quote, please feel free to contact us.

SerNet Samba Team