back to article Samba settings SNAFU lets any user change admin passwords

Samba admins: get patching and/or updating. Unless you’re content to have your admin passwords overwritten by, well, anyone else using Samba. That’s the gist of an advisory warning that “On a Samba 4 Active Directory domain controller (AD DC) any authenticated user can change other users' passwords over LDAP, including the …

  1. Anonymous Coward
    Anonymous Coward

    SO what I'd like to know...

    Is how long this flaw has been around? That's sometimes crucial information which is often left out, usually because there's no solid way to tell.

    The reason I'm wondering is because we always get stories about "many eyes", but just how well did those eyes spot stuff like this?

    1. gerdesj Silver badge

      Re: SO what I'd like to know...

      "Is how long this flaw has been around?"

      Version 4 of Samba has been around for a while now: https://www.samba.org/samba/history/samba-4.0.0.html. Whilst surveying the view from your horse, you might note flaws have come to light in other systems (hardware and software) that are way older than that.

      I have personally fixed a problem by having access to the source. Per system connection limits from a Samba box to another system (using CIFS/SMB ie for "drive mappings") were fixed to 256 by a constant in the code. I increased the value and re compiled. Problem fixed. That was with Samba 3 a long time ago but the point remains.

      1. amaccuish

        Re: SO what I'd like to know...

        That's not a valid fix, see: https://wiki.samba.org/index.php/CVE-2018-1057#Setting_a_minimum_password_length at the bottom

  2. Nifty

    Anyone care to list which popular devices/situations use Samba? Didn’t Apple use it at one time?

    1. Anonymous Coward
      Anonymous Coward

      This is specifically Samba4 in AD DC mode (due to it's internal LDAP), so probably limited to hobby use rather than enterprise level (you wouldn't be supported on your clients using Samba).

      Apple will have been using it from a client perspective to join or connect to a network, rather than host an AD domain.

      1. Adam 52 Silver badge

        I imagine that there are lots of Linux fans deeply offended at the suggestion that Samba isn't suitable for use as an AD domain controller.

        1. Anonymous Coward
          Anonymous Coward

          "Linux fans deeply offended at the suggestion that Samba isn't suitable for use as an AD domain controller"

          And lots of Windows fans saying this shows it's not

          /FlameWarOn

        2. Anne-Lise Pasch

          "deeply offended at the suggestion that Samba isn't suitable"

          Well, until today.

        3. Hans 1 Silver badge

          @Adam

          True, get my upvote!

          @ShelLuser

          Which part of Samba from 4.0.0 onwards do you not understand ? So six years, I suppose. Note that it allows users with an LDAP tool to change certain account passwords.

          As for monitoring the system:

          The important attributes to watch are pwdLastSet and msDS-KeyVersionNumber

          ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=user pwdLastSet msDS-KeyVersionNumber

          These values will change if a password is changed or reset.

          As Samba does not at this time change the machine account passwords of Domain Controllers, any change to these, or to the passwords of administrators should be a concern.

          The pwdLastSet can be printed using the samba.nttime2string function:

          python

          >>> import samba

          >>> print(samba.nttime2string(131653809731794980))

          Tue Mar 13 15:16:13 2018 NZDT

        4. This post has been deleted by its author

        5. Chemical Bob
          Windows

          "I imagine that there are lots of Linux fans deeply offended at the suggestion that Samba isn't suitable for use as an AD domain controller."

          Why would we be offended? It's not like Samba is less suitable than Windows...

      2. Anonymous Coward Silver badge

        Using a Samba ADDC in enterprise is fine, but you have to conceal that fact. Tell any vendor that your domain controller is running linux and suddenly that's the root cause of every conceivable problem.

        "Won't authenticate" - "it's because of linux".

        "Wrong permissions" - "it's because of linux".

        "My coffee is cold" - "it's because of linux"

        1. Anonymous Coward
          Anonymous Coward

          "Using a Samba ADDC in enterprise is fine, but you have to conceal that fact. Tell any vendor that your domain controller is running linux and suddenly that's the root cause of every conceivable problem.

          "Won't authenticate" - "it's because of linux".

          "Wrong permissions" - "it's because of linux".

          "My coffee is cold" - "it's because of linux""

          Well, it usually is :p

          1. Hans 1 Silver badge
            Coffee/keyboard

            Using Windows Server as an Active Directory server:

            "Won't authenticate" - you're holding it wrong

            "Wrong permissions" - you're holding it wrong

            "My coffee is cold" - you're holding it wrong

            This is what you get from MS support, however, when you ask simple questions like "How so, am I holding it wrong?" They reply: "One moment, I'll get third line on this case, that guy's a hacker, sure, he knows how to . source!" and then you wait three weeks ... long enough to migrate to samba ... ;-)

        2. Korev Silver badge
          Joke

          "My coffee is cold" - "it's because of linux"

          Well Java on Linux isn't that great...

          1. Rob Moir

            So Java continues to be consistent across multiple platforms then?

          2. SuperFrog
            Megaphone

            Samba settings SNAFU lets any user change admin passwords

            Someone is on the eh, bean, eh?

        3. Anonymous Coward
          Anonymous Coward

          "Using a Samba ADDC in enterprise is fine"

          For values of "fine" where you don't care about support, security or keeping your job.

          ""My coffee is cold" - "it's because of linux""

          Someone just changed all our domain admin account passwords and stole all our data - a GDPR fine is on it's way - "it's because of Linux"

          1. amaccuish

            Someone just locked all our files and is demanding a ransom #wannacry

            All software has flaws.

        4. Dr. Mouse Silver badge

          Using a Samba ADDC in enterprise is fine, but you have to conceal that fact. Tell any vendor that your domain controller is running linux and suddenly that's the root cause of every conceivable problem.

          "Won't authenticate" - "it's because of linux".

          "Wrong permissions" - "it's because of linux".

          "My coffee is cold" - "it's because of linux"

          This is the same with "helpdesks" everywhere.

          I once rang a broadband support line because my ADSL was down. They insisted on running through the script, and I made the mistake of telling them I couldn't click the start button because I was running Linux. That was immediately the cause of all the problems, in spite of the fact that there was a flashing light on the router indicating it couldn't sync.

          From that point forward, I just pretended I had followed their instructions, and quickly changed ISPs to Be (who were amazing for techies!).

        5. wallyhall

          > "My coffee is cold" - "it's because of linux"

          Precisely.

          I'm a part-time, voluntary sysadmin for a non-profit organisation, and I've been extremely relaxed about password policies and giving people the freedom to choose their desktop software etc.

          Yet despite trying to make their lives easier at the cost of making life significantly harder as the *system administrator*, only but a few people come at problems with the expectation that it might *not* be "because we're using a network" or "Windows Professional is on a domain, Windows Home never does this" or "That Linux stuff you run it all on".

          Due to budget constraints, we run Samba 4 for AD controllers and fileservers. It's extremely stable, although nowhere near as feature rich as Windows Server. But it works. And it's sufficiently compatible with Microsoft's workstation offering that I can minimise the time and energy I spend enabling people to do their jobs while giving them much of the flexibility they're used to enjoying at home.

          In regards to it being "Enterprise" or not, I can't comment from that context. I consider it an absolutely legitimate production scenario - I apply change control and monitoring to it, and people are prevented from doing their jobs if it's unavailable. Today I had to patch it. We run "Enterprise" Cisco equipment we sourced second-hand off of Ebay, for which we get no support from Cisco, and we run second-hand Dell and HP workstations and server hardware which again - we get no support for.

          But it works. And it's been happily running as a production solution serving multiple users for a very long time.

          On an aside, my University's comp.sci department ran Samba. The rest of the University used Windows Server. I can remember a day during a C++ lab session that various file shares became unavailable and the lecturer called in assistance. Three guys came in, two in jeans and with long hair - the other with a suit and tie. The two hippy-looking jean wearers sat down and opened multiple SSH sessions and started muttering about "distributed filesystem permissions" and "ReiserFS rollout". My lecturer watched on. "What's the issue lads?" he asked. "Oh permission changes rolled out across the Windows fileservers, we didn't get notified in advance so the our Unix mirrors have fallen out of sync." The lecturer then asked, observing the guy in a suit standing behind them (now looking somewhat awkward and out of place): "Who are you then?". "Oh I'm the Windows guy."

          Production system. Big university network. Enterprise grade? Who knows. But they deemed it good enough for the comp.sci department's needs. :-)

    2. LDS Silver badge

      Apple no longer uses SAMBA, AFAIK, because of GPLv3 and its anti-DRM clauses. It has now its own implementation of the SMB protocol.

      Most devices which offer SMB shares under Linux or BSD will use some flavour of SAMBA.

      This looks an issue, anyway, if you're using a SAMBA server as an Active Directory Domain Controller - which uses also other protocols - including MS interpretation of LDAP.

      I think many NAS offer it, but usually you have to enable it.

      1. Anonymous Coward
        Anonymous Coward

        "including MS interpretation of LDAP."

        MS LDAP is an entirely RFC4511 standards based implementation.

        1. philnc

          Only because password reset mechanisms aren't governed by the protocol. LDAPv3 is just a transport protocol, it doesn't specify a whole lot of what goes into making a practical directory server. It's only because of the dominance of a major commercial firm (Sun) and an open source project (OpenLDAP) that it sometimes seems more. AD is mostly what we used to call an NOS directory, like Novell's. Its design is optimized for authentication and authorization. But it is more difficult to deploy in the role of a "white pages" directory than the Netscape-Sun line of products due to cumbersome schema extension, attribute access control and indexing mechanisms. The inability to change passwords over LDAP is a minor annoyance (or saving grace) by comparison.

          The SMB protocol itself is pretty inefficient though, all its implementations suffer for it. Its security model has always been a root problem. NFS is better as a transport but has it's own security and management issues that make it a challenge to use for desktop file sharing -- not the least of which are prohibitively expensive or complex implementations for Windows.

          If Microsoft were to roll out decent ssh client and server integration for its products that would be a big win for its customers, although the devil would, as always, be in the details.

          1. Alistair Silver badge
            Windows

            @philnc

            If Microsoft were to roll out decent ssh client and server integration for its products that would be a big win for its customers

            And Simon Tatham would be livid.

          2. Anonymous Coward
            Anonymous Coward

            "Only because"

            So as stated it's standards based to the letter and none of your waffle changes that.

          3. Anonymous Coward
            Anonymous Coward

            "The SMB protocol itself is pretty inefficient though, "

            Well its more efficient than say NFS in terms of lower overhead.

            "NFS is better as a transport "

            In what way? SMB is more efficient and outperforms it. Especially on very high bandwidth and low latency links wherr its RDMA and multipath capabilities dont have amything similar in the NFS world.

            "not the least of which are prohibitively expensive or complex implementations for Windows"

            NFS is free under Windows - just add the feature.

            "If Microsoft were to roll out decent ssh client and server integration "

            Why would they want to deploy such a poorly designed amd firewall unfriendly legacy solution when they already have Powershell webaccess which has several advantages and far more security options?

            1. Anonymous Coward
              Anonymous Coward

              Well, NFS 4.1 does have multipathing and it can be transported over RDMA.

            2. Anonymous Coward
              Anonymous Coward

              "Why would they want to deploy such a poorly designed amd firewall unfriendly legacy solution when they already have Powershell webaccess which has several advantages and far more security options?"

              Explain? how is opening port 22TCP (default) firewall unfriendly?

              What security options would these be?

              1. Anonymous Coward
                Anonymous Coward

                "Explain? how is opening port 22TCP (default) firewall unfriendly?"

                Because you have absolutely no control over what goes through it. With an SSL connection where you control the certificates used, you can choose to inspect the traffic if you want to.

                "What security options would these be?"

                Kerberos authentication, certificate based authentication, forms based authentication, 2 factor authentication, etc.

                1. Anonymous Coward
                  Anonymous Coward

                  SSH can use PAM.

                  Choose any auth method you like.

                2. Anonymous Coward
                  Anonymous Coward

                  "Because you have absolutely no control over what goes through it. With an SSL connection where you control the certificates used, you can choose to inspect the traffic if you want to."

                  What?? you have exactly the same amount of control.

                  "Kerberos authentication, certificate based authentication, forms based authentication, 2 factor authentication, etc."

                  So are you able to provide something that ssh cant do then?

                  I'm saying this as a windows administrator, you really do not know what you are talking about.

                  Lets take Microsofts implementation of smartcard authentication, which is crap, especially when smartcard only authentication is enabled, leaving your accounts open to using pass the hash. You know the 2 factor is only for obtaining the kerberos ticket and the NTLM(v2) hashes, that is what is used for authentication. When 2 factor only is enabled, the password isnt disabled, its randomly set, and never changed. So if your hash is obtained, you are screwed. Microsofts recommendation, which i doubt many do, is to run a script regularly to go through AD to untick and retick the smartcard only option to change the password to reduce this problem.

            3. Destroy All Monsters Silver badge
              Alert

              Why would they want to deploy such a poorly designed amd firewall unfriendly legacy solution when they already have Powershell webaccess which has several advantages and far more security options?

              Freshman point-and-clicker incoming.

              Prepare for production cancer!

          4. stephanh Silver badge

            "If Microsoft were to roll out decent ssh client and server integration for its products that would be a big win for its customers,"

            Windows 10 now contains a build-in ssh server. I learned this because it got in a fight with my openssh install for port 22.

            "although the devil would, as always, be in the details."

            Ah yes.

          5. Anonymous Coward
            Anonymous Coward

            NFS

            Also known as “No F**king Security”. Perhaps it’s better these days...

        2. Hans 1 Silver badge
          Boffin

          MS LDAP is an entirely RFC4511 standards based implementation.

          Agreed, and extended, with nested group search (1.2.840.113556.1.4.1941) ... IBM's approach is better, though. Nested and dynamic groups are common on Tivoli Directory Server; IBM has provided system class attributes ibm-allMembers and ibm-allGroups ...

          Does AD have dynamic groups (defined by an LDAP search) ?

          Ouch!

  3. jms222

    No problem here

    No problem here. My customer, with everything absolutely up-to-date as of a few days ago, and they ran Samba 3 until then, uses the same SMB password for all accounts so this flaw would not cause any more of a security problem.

    1. Hans 1 Silver badge
      Joke

      Re: No problem here

      And Windows AD Administrators usually use their company name or product names as passwords ... so easy guess ...

      Seen sooooo many times in the wild, I guess I could remove the joke icon ...

  4. Aodhhan Bronze badge

    YAWN

    People will never collect SAMBA alerts, because there will always be a high number of them.

    Samba is to network services as Flash is to web services. A different solution should have been implemented YEARS ago. You can put brand new siding on a sod house and make it look better, but it's still the same old pig with lipstick. Eventually, something will take advantage of the weak underlying architecture.

  5. elvisimprsntr

    No problem here...

    Don't run SAMBA on my home network.

  6. Brian Miller

    --lock-pwchange too late

    Was I the only one who read --lock-pwchange as --lock-pwnage?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019