[Samba] Low performance when using "server signing" = "mandatory"
Rowland Penny
rpenny at samba.org
Mon Oct 23 10:29:34 UTC 2023
On Mon, 23 Oct 2023 12:02:20 +0200
Adam Błaszczykowski via samba <samba at lists.samba.org> wrote:
> Ok thank you.
> So, Is my file server with Samba 4.17.12 vulnerable to CVE-2016-2114
> if it is not a DC server?
>
> To be clear, I don't use any Active Directory domain controller in my
> network.
Lets see if I can paraphrase the documentation for CVE-2016-2014
(which is very old now).
There was a bug before 4.4.0 that allowed SMBv1 clients to be possibly
vulnerable to M-I-M attacks, this was fixed, but 'server signing'
(according to the CVE) is set to 'off' for performance reasons.
If you examine 'man smb.conf', you find this, under 'server signing':
For the SMB2 protocol, by design, signing cannot be disabled.
Samba, by default, now uses SMBv2, so you do not, in my opinion, have
anything to worry about, unless you have turned SMBv1 on again.
Rowland
More information about the samba
mailing list