Skip to content

fix(samba): compatibility with Samba 4.22+ and add CanarySMB alias#481

Open
pippocom wants to merge 1 commit into
thinkst:masterfrom
pippocom:fix/samba-4.22-compatibility
Open

fix(samba): compatibility with Samba 4.22+ and add CanarySMB alias#481
pippocom wants to merge 1 commit into
thinkst:masterfrom
pippocom:fix/samba-4.22-compatibility

Conversation

@pippocom

Copy link
Copy Markdown

Proposed changes

This PR fixes two bugs in the SMB module that prevent it from working with Samba 4.22+ and modern Linux distributions, and adds a missing class alias that causes an ImportError on startup.
No related issue exists yet — this was discovered while deploying OpenCanary on Debian 13 Trixie with Samba 4.22.8.

Types of changes

Bugfix (non-breaking change which fixes an issue)

Checklist

Lint and unit tests pass locally with my changes (if applicable)

Further comments

Three issues fixed in a single PR as they are all related to the SMB module failing silently on modern systems:

  1. Regex: The original anchored pattern ^.*smbd_audit fails when rsyslog prepends an ISO timestamp (e.g. 2026-05-12T11:53:35+02:00 hostname). Changed to re.search() with unanchored pattern.
  2. Field parsing: Samba 4.22+ with vfs_full_audit prefix %U|%I|%S produces 6 fields instead of the 13+ the code assumed, causing silent IndexError. Added format detection to handle both old and new formats.
  3. CanarySMB alias: opencanary.tac imports CanarySMB but the module only defines CanarySamba, causing ImportError on startup and the module never loading. Added CanarySMB = CanarySamba alias.

Tested on: Debian 13 Trixie, Samba 4.22.8, Python 3.13, Raspberry Pi Zero W.

Reported-by: Marco Iannacone ianna@pippo.com

The SMB module had two issues that prevented it from working on modern
Samba installations:

1. Regex fix: the original anchored regex (^.*smbd_audit) failed when
   syslog prepends a timestamp before the smbd_audit token, as seen
   with rsyslog on Debian 12+ and Samba 4.x. Changed to use re.search()
   with unanchored pattern to match anywhere in the line.

2. Field parsing: Samba 4.22+ with vfs_full_audit prefix '%U|%I|%S'
   produces only 6 pipe-separated fields instead of the 13+ expected
   by the original code, causing IndexError. Added format detection
   to handle both the short format (Samba 4.22+) and the legacy long
   format transparently.

3. CanarySMB alias: opencanary.tac imports CanarySMB but the module
   only defines CanarySamba, causing ImportError on startup. Added
   CanarySMB = CanarySamba alias for backward compatibility.

Tested on: Debian 13 Trixie, Samba 4.22.8, Python 3.13
Reported-by: Marco Iannacone <ianna@pippo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant