1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
samba (2:4.6.5+dfsg-5) unstable; urgency=medium
The samba service has been removed. Use the individual services instead:
* nmbd
* smbd
* samba-ad-dc
-- Mathieu Parent <sathieu@debian.org> Tue, 18 Jul 2017 22:52:05 +0200
samba (2:4.4.1+dfsg-1) experimental; urgency=medium
This Samba security addresses both Denial of Service and Man in
the Middle vulnerabilities.
Both of these changes implement new smb.conf options and a number
of stricter behaviours to prevent Man in the Middle attacks on our
network services, as a client and as a server.
Between these changes, compatibility with a large number of older
software versions has been lost in the default configuration.
See the release notes in WHATNEW.txt for more information.
Here are some additional hints how to work around the new stricter default behaviors:
* As an AD DC server, only Windows 2000 and Samba 3.6 and above as
a domain member are supported out of the box. Other smb file
servers as domain members are also fine out of the box.
* As an AD DC server, with default setting of "ldap server require
strong auth", LDAP clients connecting over ldaps:// or START_TLS
will be allowed to perform simple LDAP bind only.
The preferred configuration for LDAP clients is to use SASL
GSSAPI directly over ldap:// without using ldaps:// or
START_TLS.
To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or
NTLMSSP) sign/seal protection must be used by the client and
server should be configured with "ldap server require strong
auth = allow_sasl_over_tls".
Consult OpenLDAP documentation how to set sign/seal protection
in ldap.conf.
For SSSD client configured with "id_provider = ad" or
"id_provider = ldap" with "auth_provider = krb5", see
sssd-ldap(5) manual for details on TLS session handling.
* As a File Server, compatibility with the Linux Kernel cifs
client depends on which configuration options are selected, please
use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
* As a file or printer client and as a domain member, out of the
box compatibility with Samba less than 4.0 and other SMB/CIFS
servers, depends on support for SMB signing or SMB2 on the
server, which is often disabled or absent. You may need to
adjust the "client ipc signing" to "no" in these cases.
* In case of an upgrade from versions before 4.2.0, you might run
into problems as a domain member. The out of the box compatibility
with Samba 3.x domain controllers requires NETLOGON features only
available in Samba 3.2 and above.
However, all of these can be worked around by setting smb.conf
options in Samba, see WHATSNEW.txt the 4.2.0 release notes at
https://www.samba.org/samba/history/samba-4.2.0.html and the Samba
wiki for details, workarounds and suggested security-improving
changes to these and other software packages.
Suggested further improvements after patching:
It is recommended that administrators set these additional options,
if compatible with their network environment:
server signing = mandatory
ntlm auth = no
Without "server signing = mandatory", Man in the Middle attacks
are still possible against our file server and
classic/NT4-like/Samba3 Domain controller. (It is now enforced on
Samba's AD DC.) Note that this has heavy impact on the file server
performance, so you need to decide between performance and
security. These Man in the Middle attacks for smb file servers are
well known for decades.
Without "ntlm auth = no", there may still be clients not using
NTLMv2, and these observed passwords may be brute-forced easily using
cloud-computing resources or rainbow tables.
-- Andrew Bartlett <abartlet+debian@catalyst.net.nz> Tue, 12 Apr 2016 16:18:57 +1200
samba (2:4.0.10+dfsg-3) unstable; urgency=low
The SWAT package is no longer available.
Upstream support for SWAT (Samba Web Administration Tool) was removed in
samba 4.1.0. As a result, swat is no longer shipped in the Debian Samba
packages. Unfortunately, there is currently no replacement.
Details why SWAT has been removed upstream can be found on the
samba-technical mailing list:
https://lists.samba.org/archive/samba-technical/2013-February/090572.html
-- Ivo De Decker <ivo.dedecker@ugent.be> Tue, 22 Oct 2013 07:52:54 +0200
samba (2:3.4.0-1) unstable; urgency=low
Default passdb backend changed in samba 3.4.0 and above
Beginning with samba 3.4.0, the default setting for "passdb
backend" changed from "smbpasswd" to "tdbsam".
If your smb.conf file does not have an explicit mention of
"passdb backend" when upgrading from pre-3.4.0 versions of
samba, it is likely that users will no longer be able to
authenticate.
As a consequence of all this, if you're upgrading from lenny
and have no setting of "passdb backend" in smb.conf, you MUST
add "passdb backend = smbpasswd" in order to keep your samba
server's behaviour.
As Debian packages of samba explicitly set "passdb backend = tdbsam"
by default since etch, very few users should need to modify their
settings.
-- Christian Perrier <bubulle@debian.org> Tue, 07 Jul 2009 20:42:19 +0200
samba (3.0.27a-2) unstable; urgency=low
Weak authentication methods are disabled by default
Beginning with this version, plaintext authentication is disabled for
clients and lanman authentication is disabled for both clients and
servers. Lanman authentication is not needed for Windows
NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
95/98/ME clients (or servers) you may need to set lanman auth (or client
lanman auth) to yes in your smb.conf.
The "lanman auth = no" setting will also cause lanman password hashes to
be deleted from smbpasswd and prevent new ones from being written, so
that these can't be subjected to brute-force password attacks. This
means that re-enabling lanman auth after it has been disabled is more
difficult; it is therefore advisable that you re-enable the option as
soon as possible if you think you will need to support Win9x clients.
Client support for plaintext passwords is not needed for recent Windows
servers, and in fact this behavior change makes the Samba client behave
in a manner consistent with all Windows clients later than Windows 98.
However, if you need to connect to a Samba server that does not have
encrypted password support enabled, or to another server that does not
support NTLM authentication, you will need to set
"client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
-- Steve Langasek <vorlon@debian.org> Sat, 24 Nov 2007 00:23:37 -0800
samba (3.0.26a-2) unstable; urgency=low
Default printing system has changed from BSD to CUPS
Previous versions of this package were configured to use BSD lpr as the
default printing system. With this version of Samba, the default has
been changed to CUPS for consistency with the current default printer
handling in the rest of the system.
If you wish to continue using the BSD printing interface from Samba, you
will need to set "printing = bsd" manually in /etc/samba/smb.conf. If
you wish to use CUPS printing but have previously set any of the
"print command", "lpq command", or "lprm command" options in smb.conf,
you will want to remove these settings from your config. Otherwise, if
you have the cupsys package installed, Samba should begin to use it
automatically with no action on your part.
-- Steve Langasek <vorlon@debian.org> Wed, 14 Nov 2007 17:19:36 -0800
|
