We are pleased to say that the Samba Team released Samba 4.20 on 27 March. This is a milestone in Samba development, given that it's the first release to include a centralised authentication firewall.
Samba 4.20 release
With the Samba 4.20 release, the Samba Active Directory (AD) Domain Controller can enforce which servers a user can authenticate on, regardless of how the server is configured.
This key feature, known as Authentication Policies and Authentication Silos, is a critical component for modern AD network segmentation. For example, it provides a way to ensure:
- administrative access is only available on administrative computers
- sensitive servers simply cannot accept authentication from unprivileged accounts.
Samba faithfully implements the Active Directory protocols by carefully examining network responses in an extensive test suite. A significant flaw was found during this extensive testing of the Microsoft Active Directory Kerberos implementation: the firewall could be bypassed.
Catalyst developer and Samba Team member Jo Sutton discovered the issue in June 2023. Together with Andrew Bartlett, Catalyst Samba team lead and another Samba team member, they reported it confidentially to Microsoft.
This week, Microsoft released a revised update for their fix for CVE-2024-21427. With the original release out for a month now and with the issues seen now addressed, Catalyst recommends all Active Directory administrators using this feature update their domains urgently.
Do Samba users need to update due to CVE-2024-21427?
Samba users can be assured they do not need to take any action. This is because Samba 4.20 is the first version with a centralised authentication firewall, and this feature was implemented securely from the outset.
If you have any questions about this article, or need expert support with your Samba solution, contact us.