I- ukukhishwa kwenguqulo entsha yeSamba 4.13, inguqulo lapho isixazululo sengozini sengezwa lokho kutholwe ezinsukwini ezimbalwa ezedlule I-Zerologon (CVE-2020-1472), ngaphezu kwalokho kule nguqulo entsha izidingo zePython sezivele zishintshele kwinguqulo 3.6 kanye nolunye ushintsho.
Kulabo abangajwayelene ne-Samba, kufanele wazi ukuthi lena yiprojekthi eqhubeka nokwakhiwa kwegatsha le-Samba 4.x ngokuqaliswa okugcwele kwesilawuli sesizinda ne-Active Directory service, ehambisana nokusetshenziswa kweWindows 2000 futhi ekwazi ukusebenzisa zonke izinhlobo yamakhasimende weWindows asekelwa yiMicrosoft, kufaka phakathi iWindows 10.
ISamba 4, ngu umkhiqizo we-server osebenza ngemisebenzi eminingi, enikezela futhi ukwenziwa kweseva yefayela, insizakalo yokuphrinta neseva yokufakazela ubuqiniso (winbind).
Izici ezintsha eziyinhloko zeSamba 4.13
Kule nguqulo entsha yeprotocol Ukulungiswa kobungozi beZeroLogon kungeziwe (CVE-2020-1472), engavumela umhlaseli ukuthi athole amalungelo okuphatha kusilawuli sesizinda kuzinhlelo ezingasebenzisi izilungiselelo ze- "server schannel = yes" (Uma ufuna ukwazi kabanzi ngayoUngahlola ukushicilelwa esabelana ngakho ngakho lapha kubhulogi. Isixhumanisi yilokhu)
Olunye ushintsho olwenziwe kule nguqulo entsha yeSamba ukuthi Izidingo eziphansi zePython ziphakanyisiwe kusuka ku-Python 3.5 kuya ku-Python 3.6. Ngenkathi ikhono lokwakha isiphakeli sefayela ngePython 2 lisalondoloziwe (ngaphambi kokusebenza ./configure 'ne' make ', udinga ukusetha ukuguquguquka kwemvelo' PYTHON = python2 '), kepha egatsheni elilandelayo kuzosuswa futhi IPython 3.6 izodingeka ekuhlanganiseni.
Ngakolunye uhlangothi ukusebenza "Izixhumanisi ezibanzi = yebo", evumela abaphathi be-server amafayela ukudala izixhumanisi ezingokomfanekiso uye endaweni engaphandle kwesigaba samanje se-SMB / CIFS, isuswe ku-smbd yaya kwimodyuli ehlukile ye- "vfs_widelinks".
Njengamanje, le module ilayishwa ngokuzenzakalela uma kukhona ipharamitha "ebanzi yezixhumanisi = yebo" ekucushweni.
Ukusekelwa kwe- "wide links = yes" kuhlelwe ukuthi kususwe ngokuzayo ngenxa yokukhathazeka kwezokuphepha, abasebenzisi be-samba belulekwa ngokuqinile ukuthi basebenzise i- "mount -bind" ukufaka izingxenye zangaphandle zohlelo lwefayela esikhundleni se- "wide links = yes".
Qaphela ukuthi abathuthukisi be-Samba batusa ukushintsha noma yikuphi ukufaka okwamanje okusebenzisa i- "wide links = yebo" ukusebenzisa izixhumanisi ngokushesha ngangokunokwenzeka, ngoba i- "wide links = yebo" izilungiselelo ezingavikelekile ngokwemvelo esingathanda ukuzisusa ku-Samba. Ukuhambisa isici kwimodyuli ye-VFS kuvumela lokhu ukuthi kwenziwe ngendlela ehlanzekile ngokuzayo.
Ukusekelwa kwesilawuli sesizinda kumodi yakudala kwehlisiwe. Abasebenzisi besilawuli sesizinda sohlobo lwe-NT4 ('classic') kumele bathuthele kuzilawuli zesizinda se-Samba Active Directory ukuze basebenze namakhasimende e-Windows anamuhla.
Izindlela zokuqinisekisa ezingavikelekile ezingasetshenziswa kuphela ne-SMBv1 zehlisiwe: "ukungena ngemvume kwesizinda", "ukuqinisekiswa okuluhlaza kwe-NTLMv2", "ukufakazelwa ubuqiniso kwamakhasimende", "ukuqinisekiswa kwamakhasimende we-NTLMv2", "iklayenti lokuqinisekisa le-lanman" kanye "nokusetshenziswa kwamakhasimende we-spnego".
Futhi, ukuxhaswa kwenketho ye- "ldap ssl ads" kusuka ku-smb.conf kususiwe. Uhlobo olulandelayo kulindeleke ukuthi lususe inketho "yesiteshi seseva".
Kwezinye izinguquko ezigqamile yilezi ukuqedwa kwe:
- Izikhangiso ze-Ldap ssl zisusiwe
- I-smb2 ikhubaza ukuqinisekiswa kokulandelana kokukhiya
- smb2 khubaza i-oplock break try futhi
- ukungena ngemvume kwesizinda
- ukuqinisekiswa okuluhlaza kwe-NTLMv2
- ukufakazela ubuqiniso kwamakhasimende
- Iklayenti le-NTLMv2 auth
- iklayenti le-lanman auth
- Kusetshenziswa iklayenti le-spnego
- Isiteshi esivela kuseva sizosuswa enguqulweni engu-4.13.0
- Inketho ye-smb.conf eyehlisiwe "ldap ssl ads" isusiwe.
- Inketho eyehlisiwe "server schannel" smb.conf kungenzeka isuswe kunguqulo yokugcina engu-4.13.0.
Okokugcina uma ufuna ukwazi kabanzi ngayo mayelana nezinguquko kule nguqulo entsha yeSamba, ungazazi Kulesi sixhumanisi esilandelayo.