Be carefull with Samba

Hello friends,

there are supposed to be several security vulnerabilities in Samba.



Interesting info ultrashort: patched version have been released for all the CVE vulnerabilities listed (a read is interesting anyway)
Patched version number are 4.17.4, 4.16.8 and 4.15.13.

My “meaningful” questions are:

  • when the AD container will be updated? (question for NethServer devs, no fast answer required)
  • will be backported the patch to the stale-old CentOS7 samba version? (depends mostly on Armonk/Raleigh will)
  • will development community will push hard enough to persuade executives of RH that patch old product is good and will help them to have more customers in the future?

I’m not confident for #2 and #3 to have pleasing answers for CentOS 7 users…

I’m not confident for #2 and #3 to have pleasing answers for CentOS 7 users…

And now?
Should I now set up a Windows server again, which is nothing more than a Swiss cheese in terms of security?

I’m sorry but answer to you is probably out of my league; I don’t know which are your needs and what you might find good enough for your choices.

CentOS 6 and 7 were considered good for server environment because were considered stable, reliable, with good support and “fast enough” vulnerability patch. In the trade, older version of packages were considered “necessary” to give better server-side experience and reduce issues.
The opinion is not shared by the whole crowd of users, IPfire dev team pitched quite hard against CentOS 7 stability and reliability.
In my opinion and without due/deep info research, currently CentOS 7 is still popular and used in the world.

But… snap back to reality, here goes gravity, RedHat changed the CentOS/RHEL approach quite hard, nuking out CentOS v8 and shifting the perspective of the distro. Two years passed since.

In my opinion mode On
This shifted completely the approach for CentOS 7 from “keep adopters happy, they will adopt CentOS8” to “no making money here, gonna take a with pinch of salt the changes”. To the point that one of the co-founders of CentOS, Mr Kurtzer, founded Rocky Enterprise Software Foundation and started Rocky Linux project.
Any big or scary enough vulnerability found in any of packages now involv bigger evaluation effort on RedHat side:

  1. how many RHEL 7 subscribers are affected from this problem?
  2. How deep enough?
  3. How’s gonna cost us not patch this one?
  4. how many RHEL 7 subscribers are gonna migrate to RHEL 9 for this?

Kernel itself is stale to say the least. Patched, backported, with interesting modules baked in to start also in way newer devices than June 2013, but with Sapphire Rapids (Intel Xeon on launchpod) and Genoa (4th gen AMD Epyc released november 2022) I’m confident enough that no one will install CentOS 7 on metal for the deep loss of computational power and safety tricks because the kernel is too old to take fully advantage if every architechtural step happened since 9 years. In fact, install Nethserver 7 on new bare metal is something I stopped to do two years ago (was not the only reason but contributed).

So… for RedHat, any big flaw not patched from the “mother project” is good for decrease the barking and noisy codegrabbers (CentOS 7 adopters) and increase the good drones meaningful of a smears of attention (RHEL 9 subscribers). This is why i don’t feel confident for fast patch backporting or fast package upgrade to long term support from SAMBA.
In my opinion mode Off

I might be completely wrong either!
My evaluation of development team for RHEL7/CentOS7 might too darkly shifted and the size of RHEL 7 might still be large enough to make sense for dev team to be reactive and focused, for avoding a fast and buggy release (log4j 2 style) and provide update package.
(fun fact: the extent of the flaws is not that big as Log4j, but at the end of the year some big hole keeps emerging from the code…)

On the side line, Uwe: are you sure about the “so low” security level of Windows Server?
Doing things “the Redmond way” is not cheap nor perfect, but it’s way safer than it was in 2009 or 2013 (Windows 2008 R2, Windows 2012 R2). In my opinion, lots of Windows sysadmins don’t like to do differently from what “worked in the past” and don’t want to learn new safer ways to do the same things, or do newer and safer things. So they cut out restrictive settings (like change the service user from “limited user” to “system”) and take “out of the way” the restrictive ACLs. The very same thing can be done in Linux if the sysadmin is pissed and skilled enough to deep tweak the way that the distro is built and which can be do in way deeper ways than Windows.
You don’t like Redmond way and prices? It’s fine, your opinion deserve respect. On the other end, for assess the safety of a product IMVHO a nicer level of knowledge should earned. Windows Server images allow still 6 months of evaulation at no cost.

1 Like


You’ve written some good lines here, and I do agree that Microsoft Systems have gone MUCH better than even 10 years ago…

However, generally Microsoft is like a Monoculture crop… One disease, and you’re bankrupt!
Enterprise Tools, like Solarwinds, are often the bigger problem than Windows itself - they’re well trusted, everyone uses them, like the Mainframe complex of the 1960/70ies…
“No tech manager ever got fired for ordering an IBM mainframe…”

The same mentality also causes eg Microsoft SQL to only be installed on a Microsoft Server system, even though they could easily run on a Win10 box or on Linux, and even supported on Linux!
A Linux box running Microsoft SQL Server is probably much less “hackable” than one running on Windows, simply because most hackers will not verify the OS, and blindly try to use Windows hacker tools - against a Linux system…

My 2 cents

1 Like

Why blame the software when sysadmins and dbadmins could tear apart all costrains and security measures?

I have no problems with any personal believes, but once or twice in a while might appen something that can be a gamechanger (for me SMR was for WD and SATAFIRM S11 for Kingston) for all the “tech-religious” opinion.
MS SQL is since at least decades a far more robust, efficient, and tough DBMS than 6.5, 2000 and 2005 (SQL versions, not years), but if your application demands sa credentials for login, everything falls apart.

Yes, Windows is my daliy OS client. It’s not perfect and I thinkg that I’ve never sold it as “the best in the world”.
So please, don’t sell other products as that, tell what you like and why :wink:

By the way. I love tilsit chese but I would like to remark that Parmigiano Reggiano Vacche Rosse is far more interesting to taste :grin:
Yes. I flag pride for italian cheese

No, I have nothing against the products from Redmond. And yes, I’m willing to pay a good price if I get good software and the service around it. But look at the updates from MS, which are released every second Tuesday of the month. How often are there bugs built in that make systems sometimes unusable or slow. See here: Slower SMB read performance for large files in 22H2 - Microsoft Community Hub
It seems to me that the ordinary admin or ordinary user is being used more and more by MS lately to find their bugs. And that is not okay for me and does not justify the price.

I can agree that this year SMB is getting headaches for the users. Last years were the printers.
But since Win11 22H2 few not trivial things changed:

  • SMBv1 is completely out of the door (yay :tada: :piñata: :partying_face: I can hear Kyocera MFPs not updated nor FTP translated screaming and shouting but frankly I don’t care.)
  • SMB data transfer can be compressed (and if both your CPUs have a lot of power this leads to faster transfers)
  • SMB have now better encryption as first try

You want to blame the updates? I can relate with that.
Should a IT-pro blindly trust MS? Is not my place to say how, which degree and why.

For what it’s worth, automatic update install is disabled in most of my installations, except my personal laptop. If I’m bashing my head, I can avoid bash other heads or in a controlled way (and payed for that).
By the way: an old NAS need to be tighten up as SMB protocol, thanks to let me recall that. Where hell are you going, little DS-216j ? ? ? ?

1 Like

@pike: You are in good shape today. Have rarely read your posts with so much pleasure as today.
Thanks a lot.

It’s simply statistic.
I cannot piss everyone for every post I publish. I mean, one of two members should find at least one of my posts useful, or even funny. It’s the law of large numbers, it must be! :sweat_smile:

(side chat: seen few minutes ago the presentation of Project Luna - act II from Dell. I think that a certain CEO of a certain “fruit brand” of consumer electronics and lot more could be hit by a stroke if see that video one time too much…)

1 Like