Developers: | The Samba Team |
Date of the premiere of the system: | 1992 |
Last Release Date: | 2023/09/04 |
Content |
Samba is a widely used software package that allows you to access network drives and printers on various operating systems using the SMB/CIFS protocol. Samba has both client and server components.
2023: Samba 4.19.0
On September 4, 2023, it became known that after 6 months of development, the release of Samba 4.19.0 was presented, which continued the development of the Samba 4 branch with a full-fledged implementation of the domain controller and Active Directory service, compatible with the implementation of Windows 2008 and capable of serving all versions of Windows clients supported by Microsoft, including Windows 11. Samba 4 is a multifunctional server product that also provides the implementation of a file server, print service and identification server (winbind).
As reported, key changes to Samba 4.19 affected the following:
- The smbget utility has been translated into code that is common with other Samba utilities to parse command line parameters (previously, a parser specific to this utility was used in smbget). The transition to a shared parser allowed additional features to be implemented in smbget, such as authentication through Kerberos, but the cost was the termination of support for the smbgetrc file and the violation of backward compatibility at the option level.
- The gpupdate command declared the libgpo.get_gpo_list function obsolete, replaced by an implementation written in Python, which can be imported by specifying "import samba.gp." To connect to Active Directory, the implementation uses a SamDB module instead of ADS.
- The capabilities of winbind related to logging when specifying 'winbind debug traceid = yes' in smb.conf have been expanded. Added support for fields: 'traceid' to reflect records associated with the same request in the log, and 'depth' to save the nested level of the request in the log. To optimize the analysis of logs, the samba-log-parser utility is included.
- The Active Directory database was prepared to use the functional level of Active Directory Domain Services 2016 (Functional Level 2016) and the storage scheme 2019 (AD Schema 2019) in AD domains.
- The initial partial implementation of the functional levels of Active Directory 2012, 2012R2 and 2016 is proposed (previously Samba supported the 2008R2 level by default). Samba will be able to pass Active Directory Authentication Policy (Claims) approvals to the PAC (Privilege Account Certificate) for domain servers that support such operations, as well as consider the configuration for Authentication Policies and Authentication Silos. At the same time, Samba can only read and write statements (claims) and transfer them to the PAC, but so far it cannot use them when making decisions on granting access. The functional level is changed through the setting "ad dc functional level" in smb.conf.
- KDC ( Key Distribution Center) audit tools are optimized. Added the ability to reflect in the log stored in JSON format, most failures and all issued Kerberos tickets, including those that violate the unused authentication policy.
- For Windows clients, when the Active Directory 2012, 2012_R2 or 2016 functional level is enabled, support for the Kerberos FAST (Armoring) extension is implemented to organize a secure tunnel between the workstation and KDC in the domain controller (for example, to protect passwords from interception).
- Active Directory PAC adds support for compression of centralized access policy (Claims) attributes using the same compression algorithm as Microsoft Windows.
- Active Directory PAC adds support for Resource SID compression, which reduces the size of the identifier to 4 bytes per group.
- Heimdal Kerberos domain controller configurations add support for Resource Based Constrained Delegation (RBCD). For configurations based on MIT Kerberos, RBCD support appeared in Samba 4.17.
- The samba-tool utility provides support for displaying, adding and modifying Authentication Silos (silos) and Active Directory Authentication Claims (claims), as well as support for displaying sites and subnets of Active Directory.
- Deleted code with the implementation of built-in cryptographic functions. To work, it now requires an build with GnuTLS at least version 3.6.13 (for systems without the getrandom () function, at least GnuTLS 3.7.2 is required).
- The Heimdal Kerberos code used in Samba (lorikeet-heimdal branch) has been updated to the master repository of the main Heimdal project.
- Added PKINIT test kit (smart card login).
- Heimdal KDC has added the ability to revoke smart card certificates used for PKINIT authentication.
- Changing the unicodePwd and userPassword attributes on a domain controller is now only allowed when using an encrypted connection.
- Added "smbcontrol ldap_server reload-certs" command to reload TLS certificates used in Active Directory Domain Controller without restarting Samba[1] components].
2022: Samba 4.17.0 with the ability to build without support for the SMB1 protocol in smbd
The release of Samba 4.17.0 was presented, which continued the development of the Samba 4 branch with a full implementation of the domain controller and Active Directory service, compatible with the Windows 2008 implementation and capable of serving all versions of Windows clients supported by Microsoft, including Windows 11. This became known on September 14, 2022. Samba 4 is a multifunctional server product that also provides the implementation of a file server, print service and identification server (winbind).
Work was carried out to eliminate regressions in the performance of loaded SMB servers that appeared as a result of adding protection against vulnerabilities that manipulate symbolic links. Among the optimizations carried out, we mention the reduction of system calls when checking the directory name and not the use of wakeup events when processing competing operations that lead to delays.
It is possible to build Samba without support for the SMB1 protocol in smbd. To disable SMB1, the configure assembly script implements the option "--without-smb1-server" (affects only smbd, support is SMB1 saved in client libraries).
When using MIT Kerberos 1.20, the ability to counter the Bronze Bit attack (CVE-2020-17049) is implemented, thanks to the transfer of additional information between the KDC and KDB components. In the default Heimdal Kerberos-based KDC, the problem was fixed in 2021.
When building Kerberos 1.20 with MIT, the Samba-based domain controller implements support for Kerberos extensions S4U2Self and S4U2Proxy, and adds the possibility of limited delegation based on resources (RBCD, Resource Based Constrained Delegation). To manage RBCDB, the 'add-principal' and 'del-principal' sub-commands have been added to the "samba-tool delegation" command. In the default Heimdal Kerberos-based KDC, RBCD mode is not yet supported.
The built-in DNS service provides the ability to change the network port that receives requests (for example, to run another DNS server on the same system that redirects certain requests to Samba).
The CTDB component responsible for cluster configurations has reduced syntax requirements for the ctdb.tunables file. When building Samba with the --with-cluster-support and --systemd-install-services options, the systemd service for CTDB is installed. The delivery of the ctdbd_wrapper script has been stopped - the ctdbd process is now launched directly from the systemd service or from the initialization script.
The configuration'nt hash store = never' is implemented, which prohibits the storage of "naked" (without salt) hashes of passwords of Active Directory users. In the next version, the'nt hash store' default will be set to "auto," in which the "never" mode will be applied if the 'ntlm auth = disabled' setting is present.
A binding is proposed for accessing the API of the smbconf library from Python code.
The smbstatus program implements the ability to display information in JSON format (enabled by the --json option). The domain controller supports the Protected Users security group, which appeared in Windows Server 2012 R2 and does not allow the use of unreliable encryption types (for users in the group, support for NTLM authentication, Kerberos TGTs based on RC4, limited and unlimited delegation is disabled).
Support for the password store and the LanMan-based authentication method (the "lanman auth = yes" setting is now irrelevant) has been discontinued [2].
2017: Witherability
A set of open source Samba software has identified a serious vulnerability similar to the one that led to a massive malware epidemic WannaCry on computers running. Windows Experts fear a repeat of the situation on machines running Linux Unix. Computer systems around the world are at risk, including. Russia
A vulnerability in server code that received the CVE-2017-7494[3] index] allows you to remotely run arbitrary code if the attacker has the ability to write data to any directory on the server. For a successful attack, it was necessary to load a specially formed public library into the directory, and the server downloaded and executed it, along with any malicious code that could be contained in this library.
The vulnerability is present in all versions from 3.5.0 to the latest version (by May 27, 2017) - 4.6.4. Given that version 3.5.0 was released in 2010, the vulnerability went unnoticed for seven years.[4]
Samba developers have released the necessary patches and sent notifications to all users about the need to install them urgently. For versions 4.6.4, 4.5.10 and 4.4.14, security updates have been released, while older versions will have to be patched manually. Fixes are available at this link:[5]
Security expert HD Moore, creator of the Metasploit Project, said that exploiting the vulnerability is extremely simple: one line of code is enough - simple.create_pipe ("/path/to/target.so [6]
Thus, even very novice hackers with minimal training can exploit this vulnerability. The corresponding module has already been added to Metasploit.
The company Rapid7 notes that by the end of May 2017, there are more than 104 thousand devices on the Web, on which vulnerable versions of Samba are installed, and which are open for external connections - through port 445. Almost 90% of them use versions of [Samba] for which there is currently no direct patch, according to the publication Rapid7. [7]
Experts are Rapid7 afraid of repeating the story with WannaCry: Samba allows Unix and Linux systems to share directories, just as it does under Windows. The WannaCry ransomware worm attacked Windows systems, but it was easy to identify and there is a clear algorithm for eliminating the consequences. At the same time, a vulnerability in Samba affects Unix and Linux systems, and eliminating the consequences of a possible attack can face serious technical difficulties. They are likely to appear in situations where there are no update management tools for attacked devices or when users cannot install patches at the operating system level in principle. As a result, we fear that such systems could become entry points into corporate networks. |
A large number of networked storage devices, both personal and corporate, use Samba, and their users may not be aware of this. Linux distribution developers have already released the necessary patches. NAS developers are in no hurry to do this.
Accordingly, there is a threat that it will not be possible to completely fix the problem, even if system administrators heed the call of the developers and quickly install updates.
In any case, you should at least try to install fixes or, if this is not possible, edit the smb.conf file by adding nt pipe support = no in the [global] section, and then restart the Samba daemon - smbd. This will prevent attackers from exploiting the vulnerability, but may also negatively affect the availability of files and directories on the drive from under Windows clients. It is also necessary to close port 445 for external access.
Devices whose software shell cannot be updated are, in principle, one of the main problems of today's World Wide Web, especially given their large number, says Georgy Lagoda, technical director of the Security Monitor company. - Even out of context with recent ransomware epidemics, non-renewable devices create ideal points for organizing attacks on corporate networks and individual users, and these attacks can continue and go unnoticed for as long as they like. The faster such devices fall into disuse, the better. It is worth noting that the average time of an APT attack on enterprises of medium and large scale can be up to one and a half years, while in most cases the attacked organizations do not notice malware downloaded on their network. The main vector of the attack is precisely the vulnerabilities similar to those described above. |
Notes
- ↑ [https://www.opennet.ru/opennews/art.shtml?num=59714 Release 4.19.0
- ↑ Samba Release 4.17.0
- ↑ [https://www.samba.org/samba/security/CVE-2017-7494.html CVE-2017-7494: Remote code execution from a writable share
- ↑ It's not just Windows anymore: Samba has a major SMB bug
- ↑ http://samba.org/samba/patches/.
- ↑ [1]").
- ↑ Patching CVE-2017-7494 in Samba: It's the Circle of Life