Blog

SerNet announces the launch of SAMBA+ 4.20.0. This is the latest stable release series of Samba for Enterprise Linux. Available immediately for a variety of platforms including SUSE, Red Hat, Debian GNU/Linux, Ubuntu, and for AIX. This release introduces multiple enhancements for up-to-date enterprise environments.

Standing out is the new Service Witness Protocol [MS-SWN], developed by Stefan Metzmacher from SerNet. This enhances the stability and monitoring capabilities within clustered environments. This protocol is essential for enterprises using high-availability solutions, allowing clients to monitor their SMB connections more effectively across cluster nodes. This development ensures that SAMBA+ remains at the forefront of networked system resilience, providing scalable solutions for large-scale deployments.

Additionally, the release of SAMBA+ 4.20 transitions previous series into different support phases: Samba 4.19 enters maintenance mode, Samba 4.18 shifts to security fixes only, and updates for Samba 4.17 will be discontinued. Users are encouraged to upgrade to the latest version to take advantage of the new features and improved security protocols.

For existing SAMBA+ subscribers, the new release is included in your current subscription. New customers can obtain SAMBA+ through a software subscription available at our online shops (USD Pricing: US SAMBA+ Shop, EUR Pricing: World SAMBA+ Shop). All details about subscription options and pricing are listed there.

As enterprises increasingly rely on robust, secure, and scalable solutions, SAMBA+ 4.20.0 represents a step forward. We invite all users to read the detailed release notes to ensure a smooth transition and to leverage the full capabilities of this release.

Please make sure to test thoroughly before upgrading. For further assistance, upgrade paths, and deployment strategies, please consult our SAMBA+ HowTo collection or contact our support team directly through our website.

Useful Links:

• Full Release Notes: Samba 4.20.0 Release Notes
• Upgrade Guidance and HowTo: SAMBA+ HowTo Collection
• Contact and Support: Get in touch!

The Samba team at SerNet released new SAMBA+ 4.19.6 packages. They are available for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX.

These packages address several issues, which are listed in the release notes:

https://www.samba.org/samba/history/samba-4.19.6.html

SAMBA+ packages are offered as software subscriptions. Subscriptions are available for purchase in our SAMBA+ shop, with detailed information and pricing listed in both USD and EUR:

• USD Pricing: US SAMBA+ Shop
• EUR Pricing: World SAMBA+ Shop

Existing subscribers will receive the SAMBA+ 4.19.6 packages as part of their current subscription.

Get in Touch! For further information, to request a quote, or if you have any questions regarding SAMBA+ 4.19.6, please do not hesitate to contact us. Our team is dedicated to supporting you and ensuring you make the most out of SAMBA+.

SAMBA+ 4.19.3-5 and SAMBA+ 4.18.9-9 have just been released by SerNet's Samba team. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

Please see the release history here:

• https://www.samba.org/samba/history/samba-4.19.3.html
• https://www.samba.org/samba/history/samba-4.18.9.html

The fix for CVE-2018-14628, which is now part of the upstream 4.19.3 and 4.18.9 releases was already fixed in SAMBA+ 4.19.2 and SAMBA+ 4.18.8. For completeness we describe once more how to apply the actual fix for the AD database. If you did that already along with the previous SAMBA+ update, then you don't have to do the following steps again.

Action required in order to resolve CVE-2018-14628

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' 

The change should be confirmed with 'y' for all objects starting with

'CN=Deleted Objects'.

SAMBA+ 4.17.11 has just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now.

These packages address several issues, which are listed in the release notes:
https://www.samba.org/samba/history/samba-4.17.11.html

The process on how to access the SAMBA+ Software Packages has changed. Please consult our SAMBA+ HowTo to learn more. 

SAMBA+ 4.18.5, 4.17.10 and 4.16.11 have just been released. Packages for various SUSE and Red Hat platforms as well as for Debian GNU/Linux, Ubuntu and AIX are available now. Please note: This are Security Updates, packages should be deployed as soon as possible.

These packages address several security related issues:

• CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it.
• CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request.
• CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger a process crash in a shared RPC mdssvc worker process. 
• CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- side absolute path of shares and files and directories in search results.