The release of the new version of Samba 4.13, version in which the solution to the vulnerability is added that was detected a few days ago Zerologon (CVE-2020-1472), in addition to the fact that in this new version the Python requirements have already changed to version 3.6 and also other changes.
For those unfamiliar with Samba, you should know that this is a project that continues the development of the Samba 4.x branch with a full implementation of a domain controller and Active Directory service, compatible with the Windows 2000 implementation and capable to serve all versions of Windows clients supported by Microsoft, including Windows 10.
Samba 4, is a multifunctional server product, which also provides the implementation of a file server, print service and authentication server (winbind).
Main new features of Samba 4.13
In this new version of the protocol ZeroLogon vulnerability fix added (CVE-2020-1472), which could allow an attacker to gain administrator rights on a domain controller on systems that do not use the "server schannel = yes" setting (If you want to know more about it, You can check the publication we share about it here on the blog. The link is this)
Another change that was made in this new version of Samba is that the Minimum Python requirements have been raised from Python 3.5 to Python 3.6. While the ability to build a file server with Python 2 is still preserved (before running ./configure 'and' make ', you need to set the environment variable' PYTHON = python2 '), but in the next branch it will be removed and Python 3.6 will be required for compilation.
On the other hand the functionality "Wide links = yes", which allows file server administrators to create symbolic links to an area outside the current SMB / CIFS partition, moved from smbd to a separate "vfs_widelinks" module.
Currently, this module is loaded automatically if there is a "wide links = yes" parameter in the configuration.
Support for "wide links = yes" is planned to be removed in the future due to security concerns, samba users are strongly advised to use "mount –bind" to mount external parts of the filesystem instead of "wide links = yes".
Note that Samba developers recommend changing any installations that currently use "wide links = yes" to use link mounts as soon as possible, as "wide links = yes" is an inherently insecure setting that we would like to remove from Samba. . Moving the feature into a VFS module allows this to be done in a cleaner way in the future.
Support for the domain controller in classic mode has been deprecated. Users of NT4 type ('classic') domain controllers must migrate to Samba Active Directory domain controllers in order to work with modern Windows clients.
The insecure authentication methods that can only be used with SMBv1 are deprecated: "domain logins", "raw NTLMv2 authentication", "client plaintext authentication", "NTLMv2 client authentication", "authentication lanman client "and" spnego client usage ".
Also, support for the "ldap ssl ads" option from smb.conf has been removed. The next version is expected to remove the "server channel" option.
Of the other changes that stand out are the elimination of:
- Ldap ssl ads removed
- smb2 disables lock sequence verification
- smb2 disable oplock break retry
- domain logins
- raw NTLMv2 authentication
- client plaintext authentication
- NTLMv2 auth client
- lanman auth client
- Using the spnego client
- A channel from the server will be removed in version 4.13.0
- The deprecated smb.conf option "ldap ssl ads" has been removed.
- The deprecated "server schannel" smb.conf option most likely removed in final version 4.13.0.
Finally if you want to know more about it about the changes in this new version of Samba, you can know them In the following link.