Samba 4.24.0 addresses a Kerberos-related vulnerability by changing the default encryption types for Kerberos to AES-128 and AES-256 to counter impersonation techniques. The release also extends audit coverage for sensitive Active Directory attributes. Users should upgrade to Samba version 4.24.0 to apply these security hardening changes.
Samba 4.24.0 arrived carrying a set of Kerberos security changes aimed at Active Directory deployments. The release fixes a vulnerability, extends audit coverage for sensitive AD attributes, and introduces configuration options to counter two related Kerberos impersonation techniques. A CVE drives the encryption default change The most directly security-relevant change in 4.24.0 is a shift in default encryption types for Kerberos. The kdc default domain supported enctypes parameter now defaults to AES-128 and AES-256 (specifically … More → The post Samba 4.24.0 ships Kerberos hardening and a CVE fix for domain encryption defaults appeared first on Help Net Security .