Microsoft security update breaks Samba

THE SAMBA team quietly released over the weekend versions 3.0.4 and 2.2.9 of Samba, the GNU open source code that works quietly under the hood in Linux and Unix. This allows share and access resources with other systems running Windows, Linux, Unix, FreeBSD, OS/2 and more, using the SMB and CIFS protocols.

This time, there was an important reason to issue these updates: one of the Vole's latest security patches to Windows NT, 2000 and XP, described in the Knowledge Base article KB828741 changes how Windows deals with passwords, plugging a security hole and breaking critical samba compatibility in the process.

After applying this Microsoft "fix" to their systems, users that access Samba file servers - most of which run a version of Unix or Linux - suddenly found it impossible to change passwords from windows machines, when prompted to do so as passwords start expiring.

As a result of the operation, they get the friendly message "You do not have permission to change your password". Something that makes Linux and Unix sysadmins very unhappy, I'm sure.

"If you have any idea what is going on, please help", reads a post on the message board of a Linux site, from an anxious person handling "Computer Operations" at Texas A&M University's Memorial Student Center. "I un-installed Microsoft Cumulative Update MS04-012 (KB828741). Sure enough this fixed the problem", wrote another in response. "I hope the Samba folks fix this, so we don't have to un-install this update on all computers", the discouraged sysadmin concluded.

Before these Samba updates were released, the only solution for this problem was un-installing the Vole's "fix", leaving Windows systems vulnerable, or instead leaving windows users unable to change their passwords. Tough call.

Rumba, Samba, Mambo...
This isn't the first time the unrepented Redmond juggernaut has made things difficult for the open source Samba team, and I anticipate this won't be .

Corporate help desks dealing with angry Windows users that suddenly can't change their passwords to access Linux/Unix file server(s) is something that may make Steve Ballmer grin with pleasure, if not dance all the way to the bank singing about the 'advantage' of running a "100% Windows" operation.

Hopefully the Samba team has fixed their code to keep up with the Vole, so that Samba continues working correctly, even after Microsoft's "fix". Linux, Unix and other Samba users are encouraged to upgrade their systems to the latest Samba 3.x release if possible. Keep in mind that Samba 2.2 is in "maintenance mode" and that 2.2.9 was only released to fix this critical issue. There are no further Samba 2.2.x releases planned.

See Also
Samba quietly turned 3.0