The release of Samba 4.21 brings critical security enhancements aimed at improving interoperability between Linux/Unix and Windows systems. This update addresses a key issue from previous versions, where unresolved user or group names could result in skipped users without notification, potentially leading to insecure system behavior. Now, if a user or group cannot be resolved due to a communication error with a domain controller, Samba logs an error, and the connection fails, making security checks more robust and predictable.
Another major upgrade in Samba 4.21 is the support for LDAP TLS/SASL channel binding, improving secure authentication practices. SASL binds with Kerberos or NTLMSSP are now supported over TLS connections, enabling setups previously requiring ‘allow_sasl_over_tls’ to switch to the more secure default of ‘strong auth.’ Additionally, LDAPS client tools now apply proper channel bindings, aligning with recommended security standards on both Linux/Unix and Windows.
Samba 4.21 also introduces automatic password expiration for accounts that require a smart card for logon, aligning its behavior with Windows Active Directory standards. Previously, such accounts retained a static password for NTLM fallback, presenting security risks if passwords did not expire. Now, passwords on smart card-required accounts rotate shortly before expiry, ensuring better security management in domains using this feature, particularly in environments with high-security demands.
These advancements in Samba 4.21 enhance secure configuration options and improve the reliability of identity and access management across networks with mixed operating systems. For administrators, the improvements mean more secure configurations without extensive reconfiguration, providing a straightforward path for organizations upgrading from older versions to benefit from the latest security features and compatibility standards.
Reference: