Samba 4.21 comes with upgraded security features
Samba is the standard suite of programs that enables seamless interoperability between Linux/Unix and Windows systems. Version 4.21 has been officially released.
Hardening
In previous versions of Samba, if a user or group name in either option could not be resolved to a valid SID, the user (or group) would be skipped without any notification. This could result in unexpected and insecure behavior. Starting with this version of Samba, if any user or group name in any of the options cannot be resolved due to a communication error with a domain controller, Samba will log an error, and the tree connect will fail. Non-existing users (or groups) are ignored.
LDAP TLS/SASL channel binding support
The LDAP server now supports SASL binds with Kerberos or NTLMSSP over TLS connections (either LDAPS or StartTLS).
Setups that previously required ‘ldap server require strong auth = allow_sasl_over_tls’ can now likely move to the default of ‘ldap server require strong auth = yes’.
If SASL binds without correct TLS channel bindings are necessary, ‘ldap server require strong auth = allow_sasl_without_tls_channel_bindings’ should now be used, as ‘allow_sasl_over_tls’ will generate a warning every time ‘samba’ or ‘[samba-tool] testparm’ starts.
This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows.
All client tools using LDAPS now also include the correct channel bindings.
Samba AD will rotate expired passwords on smartcard-required accounts
Traditionally in AD, accounts set to be “smart card require for logon” will have a password for NTLM fallback and local profile encryption (Windows DPAPI). This password previously would not expire.
Matching Windows behavior, when the DC in an FL 2016 domain and the msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain root is set to TRUE, Samba will now expire these passwords and rotate them shortly before they expire.
Note that the password expiry time must be set to twice the TGT lifetime for smooth operation, e.g., daily expiry given a default 10-hour TGT lifetime, as the password is only rotated in the second half of its life. Again, this matches the Windows behavior.
Provided the default 2016 schema is used, new Samba domains provisioned with Samba 4.21 will be enabled once the domain functional level is set to 2016.
Domains upgraded from older Samba versions will not have this set, even after the functional level preparation, matching the behavior of upgraded Windows AD domains.
For a complete list of what’s new, check out the release notes.