SNIA Developer Conference September 15-17, 2025 | Santa Clara, CA
Author:
Company : SerNet / Samba Team
Title : Developer
This talk explains the upcoming DCERPC security improvements in Samba after the badlock bug. These changes are designed to be backward compatible and hopefully implemented by other products as well.
Learning Objectives
What the problems are
How the urgent fixes look like
How the protocol can be further hardened
There have been various proof of concepts in the last years.
This talk gives an overview about the current state
of SMB-Direct support inside Samba using a Linux kernel driver.
Learning Objectives:
1. What the challenges are regarding the existing RDMA stacks
2. What the proposed design looks like
3. What the current implementation status is
This talk gives an overview about the authentication protocols implemented in Samba, e.g. Kerberos, NTLMSSP and Netlogon Secure Channel.
The limitations the protocols give, especially in respect to trusts. The difference between the different trust types.
A status update about trusts in Samba as Active Directory
domain controller.
There are currently 4 independent DCERPC implementations (2 servers and 2 clients). They work fine, but they're missing some important features.
The new infrastructure will combine all 4 implementations and add important new features: full async client and server support, ,support for association groups, multiplexing of security contexts, multiplexing of presentation contexts, support for DCERPC pipes and maybe DCERPC callbacks.
This infrastructure is the requirement for future development for things like:
Samba has some code to do async io through its SMB_VFS layer.
But we only have that for file descriptor based calls, like
pread, pwrite and fsync.
In 4.10 we added some special cases for async getxattr() calls
during a SMB2 Query Directory call.
As getxattr() is a path based call, which requires special
impersonation handling, when called via threadpools.
Samba has experimental support for multi-channel for quite a while. SMB3 has a few concepts to replay requests safely. Some of them are still missing in Samba, which could lead to misbehaving clients. The talk will explain how the missing features will be implemented. With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle. This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores.
On the domain controller side we got a lot of updates recently: - Updated Heimdal - Working with the latest MIT Kerberos On the member server side we fixed some critical bugs and have plans for future improvements how a file server can avoid as much domain controller interaction as possible.
With the increasing amount of network throughput, we'll reach a point where a data copies are too much for a single cpu core to handle. This talk gives an overview about how the io_uring infrastructure of the Linux kernel could be used in order to avoid copying data, as well as spreading the load between cpu cores. A prototype for this exists for quite some time and shows excellent results.
