Updating Samba for better AD & Kerberos Integration

[Tarny]

I’m looking for information about updating the installed Samba version on a 10.3.8 server. Can it be done? Can it be done easily? What things are likely to break if I try to build the latest version of Samba (currently 3.0.11) to replace the 3.0.5 that ships with Mac OS X Server?

I have given this one shot at downloading the latest Samba tar and attempting to compile. I was on a 10.3.8 client rather than server and I received some errors that wouldn’t let the build complete. At this point, I just wanted to get my feet wet with the whole configure/make process, I didn’t really want an updated Samba on the client, so I’m not even going to try to troubleshoot that. But, I’m installing a clean Mac OS X Server for this update experiment.

Most of the articles I’ve found on the web are out of date, like this one: http://www.opendarwin.org/en/articles/osx_smb/ar01s03.html#serv-getsamba

Any fresh information would be greatly appreciated.

Tarny

[Anonymous]

The current version of samba included in Mac OS X is also a security hole:

CVE : CAN-2004-0930, CAN-2004-0882

[Tarny]

I tried to get SSO working in an AD integrated network. There were 4 Windows servers, 2 Win2K servers that are both domain controllers (and both are KDCs), there is 1 xServe with an Xserve RAID. The other 2 Windows servers are Windows 2003, but are supposedly not involved directly in anything yet.

The full story is too long to recount here, but the short version is that we got the AD integration part working, so that AD logins on Mac OS X clients worked but the AFP home directories on the Mac OS X Server wouldn’t mount.

We finally resorted to calling Apple support. After having the configuration double checked by Apple (it was in line with the popular articles here on AFP548 and with Michael Bartosh’s articles) the Apple tech suggested that there was a known problem with SSO in Samba 3.0.5. However, he wasn’t SURE and was going to consult with Apple Engineering. Unfortunatly, my customer didn’t get any call back within a couple of days, so he gave up on the subject. Apple tech never called back since the incident was closed.

With the customer, we are working around the problem simply by setting up a non-integrated OD server for now.

I’m experimenting to see if there really is a problem with Samba 3.0.5 that later versions would fix.

Tarny

[Anonymous]

Samba 3.0.5 has a number of security holes, back to Some Microsoft Bull****

That said, I haven’t figured out how to replace the version of Samba in Mac OS X. Here’s the references:

The remote Samba server, according to its version number, may be vulnerable
to a remote Denial Of Service vulnerability and a remote buffer overflow.
The Wild Card DoS vulnerability may allow an attacker to make the remote
server consume excessive CPU cycles.
The QFILEPATHINFO Remote buffer overflow vulnerability may allow an attacker
to execute code on the server.

An attacker needs a valid account or enough credentials to exploit those
flaws.

Solution : upgrade to Samba 3.0.8
See also : http://us4.samba.org/samba/security/CAN-2004-0882.html
See also : http://us4.samba.org/samba/security/CAN-2004-0930.html
Risk factor : High
CVE : CAN-2004-0930, CAN-2004-0882
BID : 11624, 11678
Nessus ID : 15705

The remote Samba server, according to its version number, may be vulnerable to
a remote buffer overrun resulting from an integer overflow vulnerability.

To exploit this flaw, an attacker would need to send to the remote host
a malformed packet containing hundreds of thousands of ACLs, which would
in turn cause an integer overflow resulting in a small pointer being allocated.

An attacker needs a valid account or enough credentials to exploit this
flaw.

Solution : Upgrade to Samba 3.0.10 when available
Risk factor : High
CVE : CAN-2004-1154
BID : 11973
Nessus ID : 15985

The following shares can be accessed using a NULL session :

– IPC$ – (readable?, writeable?)

Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the ‘sharing’ tab, and click on ‘permissions’
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396
Vulnerability netbios-ssn (139/tcp)

The remote Samba server, according to its version number, may be vulnerable
to a remote file access vulnerability.

This vulnerability allows an attacker to access arbitrary files which exist
outside of the shares’s defined path.

An attacker needs a valid account to exploit this flaw.

Solution : Upgrade to Samba 2.2.11 or 3.0.7
Risk factor : High
CVE : CAN-2004-0815
BID : 11281
Nessus ID : 15394

[Author]

Posts