Samba 4.17.0 Arrives With Security Improvements, SMB1-less Compilation, and More

Samba is the standard set of Windows interoperability programs for Linux and Unix.

Samba is a multifunctional server product, which also provides an implementation of the file server, print service, and identity server (winbind).

Recently the release of the new version of Samba 4.17.0 was announced, which continues the development of the Samba 4 branch with a full implementation of a domain controller and Active Directory service that is compatible with the Windows 2008 implementation and can serve all versions of Windows Clients supported by Microsoft, including windows 11

This new samba release includes various changes and fixes integrated from previous corrective versions of the 4.16.x branch and its most notable new features are optimization improvements, some changes in the compilation process and more

Main new features of Samba 4.17.0

In this new version of Samba 4.17.0, work has been done to remove performance regressions of loaded SMB servers that appeared as a result of adding vulnerability protection that manipulate symbolic links. Some of the optimizations that have been made include reducing system calls when checking the directory name and not using trigger events when processing competing operations that cause delays.

Another change that stands out is that the ability to compile Samba without SMB1 protocol support in smbd. To disable SMB1, the "-without-smb1-server" option is implemented in the configuration build script (only affects smbd, SMB1 support is preserved in client libraries).

Besides that, implemented 'nt hash store=never' setting, which prohibits storing hashes password of Active Directory users. In a future release, the 'nt hash store' setting will default to 'auto', which will use 'never' mode if the 'ntlm auth=disabled' setting is present.

In the CTDB component responsible for the cluster configurations operation, the requirements for the syntax of the ctdb.tunables file have been reduced. When Samba is compiled with the “–with-cluster-support” and “–systemd-install-services” options, the systemd service for CTDB is installed. ctdbd_wrapper script discontinued: The ctdbd process is now started directly from a systemd service or from a startup script.

Of the other changes that are integrated in this new version of Samba:

  • A link is provided to access the smbconf library API from Python code.
  • Using MIT Kerberos 1.20, the "Bronze Bit" attack (CVE-2020-17049) was implemented by passing additional information between the KDC and KDB components. The default KDC based on Heimdal Kerberos has been fixed in 2021.
  •  The 'add-principal' and 'del-principal' subcommands have been added to the samba-tool delegation command to manage RBCDВ.
  • The default Heimdal Kerberos-based KDC does not yet support RBCD mode.
  • The built-in DNS service provides the ability to change the network port that receives requests (for example, to run another DNS server on the same system that redirects certain requests to Samba).
  • The smbstatus program now has the ability to display information in JSON format (enabled with the “–json” option).
  • The domain controller implements support for the Protected Users security group, introduced in Windows Server 2012 R2, which does not allow the use of weak encryption types (for group users, support for NTLM authentication, Kerberos TGT based on RC4 , limited and unlimited delegation is disabled).
  • Removed support for password storage and LanMan-based authentication method (setting "lanman=yes authentication" is now irrelevant).

Finally, if you are interested in being able to know more about it, you can consult the details in the following link

Download and get Samba 4.17.0

Well, for those who are interested in being able to install this new version of Samba or want to update their previous version to this new one, they must know that samba is included in the Ubuntu repositories, they must know that the packages are not updated when a new version is released, so we prefer in this case to recommend the compilation of the new version, from its source code .

The source code can be obtained from the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.