samba - Dec 2020 - Samba rpms for RHEL7.

Hi everyone,

I've posted RHEL7 RPMS/SRPMS here:
https://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.18/
https://nova.polymtl.ca/~coyote/dist/samba/samba-4.11.13/
https://nova.polymtl.ca/~coyote/dist/samba/samba-4.12.7/

It's still uploading at the moment so it might be a couple hours before 
these show up in full.

Regards,

Vincent S. Cojot


On Fri, 18 Sep 2020, Karolin Seeger via samba wrote:
> Release Announcements
> ---------------------
>
> These are security releases in order to address the following defect:
>
> o CVE-2020-1472: Unauthenticated domain takeover via netlogon
("ZeroLogon").
>
> The following applies to Samba used as domain controller only (most
> seriously the Active Directory DC, but also the classic/NT4-style DC).
>
> Installations running Samba as a file server only are not directly
> affected by this flaw, though they may need configuration changes to
> continue to talk to domain controllers (see "file servers and domain
> members" below).
>
> The netlogon protocol contains a flaw that allows an authentication
> bypass. This was reported and patched by Microsoft as CVE-2020-1472.
> Since the bug is a protocol level flaw, and Samba implements the
> protocol, Samba is also vulnerable.
>
> However, since version 4.8 (released in March 2018), the default
> behaviour of Samba has been to insist on a secure netlogon channel,
> which is a sufficient fix against the known exploits. This default is
> equivalent to having 'server schannel = yes' in the smb.conf.
>
> Therefore versions 4.8 and above are not vulnerable unless they have
> the smb.conf lines 'server schannel = no' or 'server schannel =
auto'.
>
> Samba versions 4.7 and below are vulnerable unless they have 'server
> schannel = yes' in the smb.conf.
>
> Note each domain controller needs the correct settings in its smb.conf.
>
> Vendors supporting Samba 4.7 and below are advised to patch their
> installations and packages to add this line to the [global] section if
> their smb.conf file.
>
> The 'server schannel = yes' smb.conf line is equivalent to
Microsoft's
> 'FullSecureChannelProtection=1' registry key, the introduction of
> which we understand forms the core of Microsoft's fix.
>
> Some domains employ third-party software that will not work with a
> 'server schannel = yes'. For these cases patches are available that
> allow specific machines to use insecure netlogon. For example, the
> following smb.conf:
>
>   server schannel = yes
>   server require schannel:triceratops$ = no
>   server require schannel:greywacke$ = no
>
> will allow only "triceratops$" and "greywacke$" to
avoid schannel.
>
> More details can be found here:
> https://www.samba.org/samba/security/CVE-2020-1472.html
>
>
> Changes:
> --------
>
> o  Jeremy Allison <jra at samba.org>
>   * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
>     netr_ServerPasswordSet2 against unencrypted passwords.
>
> o  G?nther Deschner <gd at samba.org>
>   * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
>     "server require schannel:WORKSTATION$ = no" about unsecure
configurations.
>
> o  Gary Lockyer <gary at catalyst.net.nz>
>   * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
>     client challenge.
>
> o  Stefan Metzmacher <metze at samba.org>
>   * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
>     challenges in netlogon_creds_server_init()
>     "server require schannel:WORKSTATION$ = no".
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the Samba 4.1 and newer product in the project's
Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> =====================================================================>
== Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> =====================================================================>
>
>
> ===============> Download Details
> ===============>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
> from:
>
>        https://download.samba.org/pub/samba/stable/
>
> The release notes are available online at:
>
>        https://www.samba.org/samba/history/samba-4.12.7.html
>        https://www.samba.org/samba/history/samba-4.11.13.html
>        https://www.samba.org/samba/history/samba-4.10.18.html
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
>                        --Enjoy
>                        The Samba Team
>

Hi everyone,

The server which had been hosting my rpms went down a couple weeks ago and 
I just managed to get a replacement. The Samba AD/DC rpms for RHEL (RHEL7 
at the moment but I'll start work on RHEL8 over the xmas break) can now be 
found at:

http://vince.cojot.name/dist/samba/

Sorry about the inconvenience.

Best Regards,

Vincent S. Cojot