Samba release manage Jerry Carter once told me that the majority of “bugs” in Samba that get reported by users are actually misconfigurations of that user’s system, or a problem with Microsoft Windows, and are not the fault of Samba.
In one of the rare tips I’ve written for SearchEnterpriseLinux.com, Carter said the next time a user comes knocking on your door with an Access Denied error message and blames it on Samba, tell them to slow down. Most of the time, it’s not Samba’s fault, he said. “Our motto is ‘Bug for bug, feature for feature, we are completely compatible with Microsoft Windows,” Carter said.
However, Carter also said that if there was a legitimate bug, the Samba team had no problem admitting it existed and working post haste to get it resolved. Today, the Samba team reported a security issue with Samba’s code, as well as a patch to fix it.
Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the “wins support” parameter has been enabled in smb.conf.
A patch addressing this defect has been posted to
Additionally, Samba 3.0.27 has been issued as a security release to correct the defect.
Samba administrators may avoid this security issue by disabling the “wins support” feature in the hosts smb.conf file.
This vulnerability was reported to Samba developers by Alin Rad Pop, Secunia Research.
The time line is as follows:
- Oct 30, 2007: Initial report to email@example.com.
- Oct 30, 2007: First response from Samba developers confirming the bug along with a proposed patch.
- Nov 15, 2007: Public security advisory to be made available.
“Our Code, Our Bugs, Our Responsibility.” — The Samba Team