Samba update for FreeNAS 9.3.x

[gearhead]

Any plans to include Samba 4.1.20 in 9.3.x? It only contains bug fixes so it should it be fairly safe.
How about Samba 4.2.x or 4.3.x?

 

[anodos]

Any plans to include Samba 4.1.20 in 9.3.x? It only contains bug fixes so it should it be fairly safe.
How about Samba 4.2.x or 4.3.x?

I think I read somewhere that 9.3 is going to stay in the 4.1.x branch.

 

[jkh]

That is correct. Samba is basically frozen in 9.3

 

[noobnas]

That is correct. Samba is basically frozen in 9.3

How about getting 4.4 in Freenas 10? 4.4 is scheduled for release on March 8th, and is supposed to include multi channel support for SMB.

That is a huge feature for me and I'm sure a lot of other people here.

 

[anodos]

How about getting 4.4 in Freenas 10? 4.4 is scheduled for release on March 8th, and is supposed to include multi channel support for SMB.

That is a huge feature for me and I'm sure a lot of other people here.

My experience is that you never really want to run Samba 4.x.0 or 4.x.1 in production. :D Jumping samba versions isn't something to be taken lightly.

 

[solarisguy]

To keep things in perspective, FreeNAS 9.3.2 will shortly have samba 4.3.4, as opposed to samba 4.1.21 (or something thereabout) currently shipping in 9.3.1.

https://forums.freenas.org/index.php?threads/9-3-2-is-now-in-nightlies-testing.41806/

 

[Mr_N]

I'm not sure if this is the right place to post this but I'm unsure of how to make a bug report or if that would even be appropriate for this situation that i was made aware of last month...

Are the FreeNAS dev's aware of http://badlock.org/ a critical issue due to be disclosed on the 12/April/2016 with patches for Samba 4.4, Samba 4.3 and Samba 4.2 ?

 

[anodos]

I'm not sure if this is the right place to post this but I'm unsure of how to make a bug report or if that would even be appropriate for this situation that i was made aware of last month...

Are the FreeNAS dev's aware of http://badlock.org/ a critical issue due to be disclosed on the 12/4/2016 with patches for Samba 4.4, Samba 4.3 and Samba 4.2 ?

Oh boy. Thanks for posting that. For those of us living in the USA, that's April 12, not December 4.

On the other hand I'm disappointed that the bug doesn't have a theme song, ponies, or lasers.

@dlavigne, sounds like freenas will get to have some patch Tuesday fun. :D

 

[ashes00]

It is April 12th, and I have not seen any updates for 9.3 or 9.10. Are both of these versions expected to be patched for the Badlock vulnerability? Thanks

Ash,

 

[anodos]

It is April 12th, and I have not seen any updates for 9.3 or 9.10. Are both of these versions expected to be patched for the Badlock vulnerability? Thanks

Ash,

Considering that the samba patch from the samba team is not scheduled to be released until 5:00 PM UTC it would be pretty hard for the FreeNAS project to have already released an update.

That said, MS is not releasing an out-of-band patch for the vulnerability, which indicates that the implications of the vulnerability (despite having a theme and a website) are not earth-shattering.

 

[ashes00]

While I can see your point for smaller issues. Typically with security vulnerabilities as large as these, there are coordinated releases/ planned with the individual security groups of the OS/Software distribution or company. Just curious if 9.3 was on the road map for the security fix. Thanks!

 

[anodos]

While I can see your point for smaller issues. Typically with security vulnerabilities as large as these, there are coordinated releases/ planned with the individual security groups of the OS/Software distribution or company. Just curious if 9.3 was on the road map for the security fix. Thanks!

It does not appear there is any coordination of patch release outside of sernet/samba and microsoft. My guess is that ixsystems will be releasing a patch as soon as they are able (and probably won't have a head start on it). So I wouldn't hold my breath for something to be pushed out at 1700 UTC.

 

[jkh]

While I can see your point for smaller issues. Typically with security vulnerabilities as large as these, there are coordinated releases/ planned with the individual security groups of the OS/Software distribution or company. Just curious if 9.3 was on the road map for the security fix. Thanks!

We have heard nothing from the Samba team or from Microsoft. Everyone is playing this very close to the vest and we will coordinate the appropriate release vehicle(s) for the fix just as soon as we actually know what the fix is. :)

 

[ashes00]

Thanks sir!

 

[anodos]

Thanks sir!

For future reference, this bug was reported here: https://bugs.freenas.org/issues/14606 and fixed in the 9.10 branch as of FreeNAS-9.10-STABLE-201604140622.

The samba project suggests the following global (auxiliary parameters) for further improvement (if they are compatible with your network enviroment:

Code:

server signing = mandatory
ntlm auth = no

There is always a chance that you have some clients (such as printers) that don't use NTLMv2 for authentication and so test before pushing into production. Additionally, the "server signing" parameter defaults to "off" for server roles other than ADDC for performance reasons.

The new version of samba introduced some new smb.conf parameters

Code:

allow dcerp auth level connect (G) (default = no)
client ipc signing (G) (default = "default" - mandatory)
client ipc min protocol (G) (default = "NT1")
client ipc max protocol (G) (default = highest support SMB2/3 dialect)
ldap server requrie strong auth (G) (default = yes)
raw NTLMv2 auth (g) (server will reject client using raw NTLMv2 without using NTLMSSP - applies to standalone and member servers)
tls verify peer (G) (default = "as_strict_as_possible"
tls priority (G) (default = "NORMAL:-VERS-SSL3.0")

For more information see notes here: https://www.samba.org/samba/history/samba-4.3.8.html