[Samba] CVE-2022-38023 and Samba versions
Andrew Bartlett
abartlet at samba.org
Fri Jun 9 20:14:14 UTC 2023
On Fri, 2023-06-09 at 19:28 +0000, Jim Brand via samba wrote:
> Just to clarify we are only running Samba file servers. And we
> would certainly add the workarounds in smb.conf
>
> But will we have problems communicating with Windows domain
> controllers if we are still running samba-4.10 after July 2023? Per
>
> https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25
>
>
> the July Windows updates will enforce RPC sealing and RPC signing
> will not be allowed. Does Samba 4.10.16-20/24 use the sealing or the
> signing netlogon protocol talking to Windows DCs?
Yes, it will all be fine, the advisory notes RC4 cryptography in
NETLOGON is unused (by default in our client) since Samba 4.0.
On the signing/sealing question, you can note this warning in the
advisory:
> 'winbind sealed pipes = yes' should also be kept at its default
value!
That is, 'out of the box' we are already using the more advanced
cryptography by default, and always encrypt (not just sign, this always
seemed a bad idea) our post connection-setup NETLOGON requests.
Testing is good, but I don't have any major concerns about this update.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list