back to article Samba settings SNAFU lets any user change admin passwords

Samba admins: get patching and/or updating. Unless you’re content to have your admin passwords overwritten by, well, anyone else using Samba. That’s the gist of an advisory warning that “On a Samba 4 Active Directory domain controller (AD DC) any authenticated user can change other users' passwords over LDAP, including the …

Silver badge

SO what I'd like to know...

Is how long this flaw has been around? That's sometimes crucial information which is often left out, usually because there's no solid way to tell.

The reason I'm wondering is because we always get stories about "many eyes", but just how well did those eyes spot stuff like this?

11
5
Silver badge

Re: SO what I'd like to know...

"Is how long this flaw has been around?"

Version 4 of Samba has been around for a while now: https://www.samba.org/samba/history/samba-4.0.0.html. Whilst surveying the view from your horse, you might note flaws have come to light in other systems (hardware and software) that are way older than that.

I have personally fixed a problem by having access to the source. Per system connection limits from a Samba box to another system (using CIFS/SMB ie for "drive mappings") were fixed to 256 by a constant in the code. I increased the value and re compiled. Problem fixed. That was with Samba 3 a long time ago but the point remains.

7
6

Re: SO what I'd like to know...

That's not a valid fix, see: https://wiki.samba.org/index.php/CVE-2018-1057#Setting_a_minimum_password_length at the bottom

2
1

Anyone care to list which popular devices/situations use Samba? Didn’t Apple use it at one time?

0
2
Anonymous Coward

This is specifically Samba4 in AD DC mode (due to it's internal LDAP), so probably limited to hobby use rather than enterprise level (you wouldn't be supported on your clients using Samba).

Apple will have been using it from a client perspective to join or connect to a network, rather than host an AD domain.

3
7
Silver badge

I imagine that there are lots of Linux fans deeply offended at the suggestion that Samba isn't suitable for use as an AD domain controller.

11
3
Anonymous Coward

"Linux fans deeply offended at the suggestion that Samba isn't suitable for use as an AD domain controller"

And lots of Windows fans saying this shows it's not

/FlameWarOn

7
3
Silver badge

Using a Samba ADDC in enterprise is fine, but you have to conceal that fact. Tell any vendor that your domain controller is running linux and suddenly that's the root cause of every conceivable problem.

"Won't authenticate" - "it's because of linux".

"Wrong permissions" - "it's because of linux".

"My coffee is cold" - "it's because of linux"

30
2

"deeply offended at the suggestion that Samba isn't suitable"

Well, until today.

3
0
Silver badge

@Adam

True, get my upvote!

@ShelLuser

Which part of Samba from 4.0.0 onwards do you not understand ? So six years, I suppose. Note that it allows users with an LDAP tool to change certain account passwords.

As for monitoring the system:

The important attributes to watch are pwdLastSet and msDS-KeyVersionNumber

ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=user pwdLastSet msDS-KeyVersionNumber

These values will change if a password is changed or reset.

As Samba does not at this time change the machine account passwords of Domain Controllers, any change to these, or to the passwords of administrators should be a concern.

The pwdLastSet can be printed using the samba.nttime2string function:

python

>>> import samba

>>> print(samba.nttime2string(131653809731794980))

Tue Mar 13 15:16:13 2018 NZDT

1
5
LDS
Silver badge

Apple no longer uses SAMBA, AFAIK, because of GPLv3 and its anti-DRM clauses. It has now its own implementation of the SMB protocol.

Most devices which offer SMB shares under Linux or BSD will use some flavour of SAMBA.

This looks an issue, anyway, if you're using a SAMBA server as an Active Directory Domain Controller - which uses also other protocols - including MS interpretation of LDAP.

I think many NAS offer it, but usually you have to enable it.

2
0
Anonymous Coward

"Using a Samba ADDC in enterprise is fine, but you have to conceal that fact. Tell any vendor that your domain controller is running linux and suddenly that's the root cause of every conceivable problem.

"Won't authenticate" - "it's because of linux".

"Wrong permissions" - "it's because of linux".

"My coffee is cold" - "it's because of linux""

Well, it usually is :p

6
8
Silver badge
Joke

"My coffee is cold" - "it's because of linux"

Well Java on Linux isn't that great...

9
4
Anonymous Coward

"Using a Samba ADDC in enterprise is fine"

For values of "fine" where you don't care about support, security or keeping your job.

""My coffee is cold" - "it's because of linux""

Someone just changed all our domain admin account passwords and stole all our data - a GDPR fine is on it's way - "it's because of Linux"

4
6

So Java continues to be consistent across multiple platforms then?

13
1

Someone just locked all our files and is demanding a ransom #wannacry

All software has flaws.

5
0
Anonymous Coward

"including MS interpretation of LDAP."

MS LDAP is an entirely RFC4511 standards based implementation.

2
4

Only because password reset mechanisms aren't governed by the protocol. LDAPv3 is just a transport protocol, it doesn't specify a whole lot of what goes into making a practical directory server. It's only because of the dominance of a major commercial firm (Sun) and an open source project (OpenLDAP) that it sometimes seems more. AD is mostly what we used to call an NOS directory, like Novell's. Its design is optimized for authentication and authorization. But it is more difficult to deploy in the role of a "white pages" directory than the Netscape-Sun line of products due to cumbersome schema extension, attribute access control and indexing mechanisms. The inability to change passwords over LDAP is a minor annoyance (or saving grace) by comparison.

The SMB protocol itself is pretty inefficient though, all its implementations suffer for it. Its security model has always been a root problem. NFS is better as a transport but has it's own security and management issues that make it a challenge to use for desktop file sharing -- not the least of which are prohibitively expensive or complex implementations for Windows.

If Microsoft were to roll out decent ssh client and server integration for its products that would be a big win for its customers, although the devil would, as always, be in the details.

1
1
Silver badge

Using a Samba ADDC in enterprise is fine, but you have to conceal that fact. Tell any vendor that your domain controller is running linux and suddenly that's the root cause of every conceivable problem.

"Won't authenticate" - "it's because of linux".

"Wrong permissions" - "it's because of linux".

"My coffee is cold" - "it's because of linux"

This is the same with "helpdesks" everywhere.

I once rang a broadband support line because my ADSL was down. They insisted on running through the script, and I made the mistake of telling them I couldn't click the start button because I was running Linux. That was immediately the cause of all the problems, in spite of the fact that there was a flashing light on the router indicating it couldn't sync.

From that point forward, I just pretended I had followed their instructions, and quickly changed ISPs to Be (who were amazing for techies!).

2
0
Silver badge
Coffee/keyboard

Using Windows Server as an Active Directory server:

"Won't authenticate" - you're holding it wrong

"Wrong permissions" - you're holding it wrong

"My coffee is cold" - you're holding it wrong

This is what you get from MS support, however, when you ask simple questions like "How so, am I holding it wrong?" They reply: "One moment, I'll get third line on this case, that guy's a hacker, sure, he knows how to . source!" and then you wait three weeks ... long enough to migrate to samba ... ;-)

3
3
Silver badge
Boffin

MS LDAP is an entirely RFC4511 standards based implementation.

Agreed, and extended, with nested group search (1.2.840.113556.1.4.1941) ... IBM's approach is better, though. Nested and dynamic groups are common on Tivoli Directory Server; IBM has provided system class attributes ibm-allMembers and ibm-allGroups ...

Does AD have dynamic groups (defined by an LDAP search) ?

Ouch!

1
0

This post has been deleted by its author

Megaphone

Samba settings SNAFU lets any user change admin passwords

Someone is on the eh, bean, eh?

0
0
Silver badge
Windows

@philnc

If Microsoft were to roll out decent ssh client and server integration for its products that would be a big win for its customers

And Simon Tatham would be livid.

1
0
Anonymous Coward

"Only because"

So as stated it's standards based to the letter and none of your waffle changes that.

0
0
Anonymous Coward

"The SMB protocol itself is pretty inefficient though, "

Well its more efficient than say NFS in terms of lower overhead.

"NFS is better as a transport "

In what way? SMB is more efficient and outperforms it. Especially on very high bandwidth and low latency links wherr its RDMA and multipath capabilities dont have amything similar in the NFS world.

"not the least of which are prohibitively expensive or complex implementations for Windows"

NFS is free under Windows - just add the feature.

"If Microsoft were to roll out decent ssh client and server integration "

Why would they want to deploy such a poorly designed amd firewall unfriendly legacy solution when they already have Powershell webaccess which has several advantages and far more security options?

2
3
Silver badge

"If Microsoft were to roll out decent ssh client and server integration for its products that would be a big win for its customers,"

Windows 10 now contains a build-in ssh server. I learned this because it got in a fight with my openssh install for port 22.

"although the devil would, as always, be in the details."

Ah yes.

2
0
Anonymous Coward

Well, NFS 4.1 does have multipathing and it can be transported over RDMA.

1
1
Anonymous Coward

"Why would they want to deploy such a poorly designed amd firewall unfriendly legacy solution when they already have Powershell webaccess which has several advantages and far more security options?"

Explain? how is opening port 22TCP (default) firewall unfriendly?

What security options would these be?

1
1
Bronze badge
Windows

"I imagine that there are lots of Linux fans deeply offended at the suggestion that Samba isn't suitable for use as an AD domain controller."

Why would we be offended? It's not like Samba is less suitable than Windows...

0
0
Silver badge
Alert

Why would they want to deploy such a poorly designed amd firewall unfriendly legacy solution when they already have Powershell webaccess which has several advantages and far more security options?

Freshman point-and-clicker incoming.

Prepare for production cancer!

1
0
Anonymous Coward

"Explain? how is opening port 22TCP (default) firewall unfriendly?"

Because you have absolutely no control over what goes through it. With an SSL connection where you control the certificates used, you can choose to inspect the traffic if you want to.

"What security options would these be?"

Kerberos authentication, certificate based authentication, forms based authentication, 2 factor authentication, etc.

0
1

> "My coffee is cold" - "it's because of linux"

Precisely.

I'm a part-time, voluntary sysadmin for a non-profit organisation, and I've been extremely relaxed about password policies and giving people the freedom to choose their desktop software etc.

Yet despite trying to make their lives easier at the cost of making life significantly harder as the *system administrator*, only but a few people come at problems with the expectation that it might *not* be "because we're using a network" or "Windows Professional is on a domain, Windows Home never does this" or "That Linux stuff you run it all on".

Due to budget constraints, we run Samba 4 for AD controllers and fileservers. It's extremely stable, although nowhere near as feature rich as Windows Server. But it works. And it's sufficiently compatible with Microsoft's workstation offering that I can minimise the time and energy I spend enabling people to do their jobs while giving them much of the flexibility they're used to enjoying at home.

In regards to it being "Enterprise" or not, I can't comment from that context. I consider it an absolutely legitimate production scenario - I apply change control and monitoring to it, and people are prevented from doing their jobs if it's unavailable. Today I had to patch it. We run "Enterprise" Cisco equipment we sourced second-hand off of Ebay, for which we get no support from Cisco, and we run second-hand Dell and HP workstations and server hardware which again - we get no support for.

But it works. And it's been happily running as a production solution serving multiple users for a very long time.

On an aside, my University's comp.sci department ran Samba. The rest of the University used Windows Server. I can remember a day during a C++ lab session that various file shares became unavailable and the lecturer called in assistance. Three guys came in, two in jeans and with long hair - the other with a suit and tie. The two hippy-looking jean wearers sat down and opened multiple SSH sessions and started muttering about "distributed filesystem permissions" and "ReiserFS rollout". My lecturer watched on. "What's the issue lads?" he asked. "Oh permission changes rolled out across the Windows fileservers, we didn't get notified in advance so the our Unix mirrors have fallen out of sync." The lecturer then asked, observing the guy in a suit standing behind them (now looking somewhat awkward and out of place): "Who are you then?". "Oh I'm the Windows guy."

Production system. Big university network. Enterprise grade? Who knows. But they deemed it good enough for the comp.sci department's needs. :-)

1
0
Anonymous Coward

SSH can use PAM.

Choose any auth method you like.

0
0
Anonymous Coward

NFS

Also known as “No F**king Security”. Perhaps it’s better these days...

0
0
Anonymous Coward

"Because you have absolutely no control over what goes through it. With an SSL connection where you control the certificates used, you can choose to inspect the traffic if you want to."

What?? you have exactly the same amount of control.

"Kerberos authentication, certificate based authentication, forms based authentication, 2 factor authentication, etc."

So are you able to provide something that ssh cant do then?

I'm saying this as a windows administrator, you really do not know what you are talking about.

Lets take Microsofts implementation of smartcard authentication, which is crap, especially when smartcard only authentication is enabled, leaving your accounts open to using pass the hash. You know the 2 factor is only for obtaining the kerberos ticket and the NTLM(v2) hashes, that is what is used for authentication. When 2 factor only is enabled, the password isnt disabled, its randomly set, and never changed. So if your hash is obtained, you are screwed. Microsofts recommendation, which i doubt many do, is to run a script regularly to go through AD to untick and retick the smartcard only option to change the password to reduce this problem.

0
0
Bronze badge

No problem here

No problem here. My customer, with everything absolutely up-to-date as of a few days ago, and they ran Samba 3 until then, uses the same SMB password for all accounts so this flaw would not cause any more of a security problem.

4
0
Silver badge
Joke

Re: No problem here

And Windows AD Administrators usually use their company name or product names as passwords ... so easy guess ...

Seen sooooo many times in the wild, I guess I could remove the joke icon ...

3
2
Bronze badge

YAWN

People will never collect SAMBA alerts, because there will always be a high number of them.

Samba is to network services as Flash is to web services. A different solution should have been implemented YEARS ago. You can put brand new siding on a sod house and make it look better, but it's still the same old pig with lipstick. Eventually, something will take advantage of the weak underlying architecture.

2
3

No problem here...

Don't run SAMBA on my home network.

0
0
Silver badge

--lock-pwchange too late

Was I the only one who read --lock-pwchange as --lock-pwnage?

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018