Samba settings SNAFU lets any user change admin passwords

Samba admins: get patching and/or updating. Unless you’re content to have your admin passwords overwritten by, well, anyone else using Samba.

That’s the gist of an advisory warning that “On a Samba 4 Active Directory domain controller (AD DC) any authenticated user can change other users' passwords over LDAP, including the passwords of administrative users and service accounts.”

“Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible,” the advisory adds.

The mess comes about because “… a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).”

“The LDAP server incorrectly validates certain LDAP password modifications against the "Change Password" privilege, but then performs a password reset operation.”

There’s some good news in the form of this simple workaround samba_CVE-2018-1057_helper --lock-pwchange that turns off the mistakenly loose password-setting permissions. Once you’ve done that, visit samba.org/samba/security/ to download patched Samba versions 4.7.6, 4.6.14 and 4.5.16 to fix recent releases. Older versions of the software may have patches here. ®