[cifs-protocol] CIFS Null Session Vulnerability Fix in Samba 3.5.10

Shashi Kanth Boddula shashi.bsd at gmail.com
Wed Apr 25 17:42:07 UTC 2018


Hi Everyone,

I have Samba server 3.5.10 running on RHEL 5.8 platform and it has joined
to our AD domain controller. Recently my Windows guys has done some changes
to AD Security by stating " CIFS Null Session Vulnerability Fix via GPO -
Security Requirement".  After this change, my windows clients are not
authenticating with domain credentials while accessing the shares, but
nothing has changed on the Samba side. The "net ads" commands on the Samba
server shows everything seems to be OK, but still Windows clients are not
authenticating. The Windows guys are telling they have to make some AD GPO
changes to avoid NULL or Anonymous connections coming in to the AD DC
Servers.

Can someone please tell me how i can solve this issue. How can i tell Samba
to not to issue NULL/ Anonymous communications to AD DCs. Is this a known
issue or bug with Samba3, is there any solution to it ? Any parameters in
smb.conf which solves it? Please advice.


My smb.conf looks like bellow.



workgroup = EMEA
   server string = SambaStorage
   password server = EMEA.NET
   passdb backend = tdbsam
   smb encrypt = disabled
   realm = EMEA.NET
   security = ADS
   interfaces =  192.168.85.124 192.168.85.127 127.0.0.1
#  interfaces = bond1:1 bond1:2 bond1 lo

   bind interfaces only = no
   local master = no
   preferred master = no
   os level = 33
   dns proxy = yes
   wins support = no
   wide links = yes
   unix extensions = no


   log file = /var/log/samba/smb3x.log

   max log size = 50000


   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
SO_SNDBUF=65536 SO_KEEPALIVE
   deadtime = 800


   load printers = no
   printcap name = /dev/null
   disable spoolss = yes
   winbind separator = +
   winbind use default domain = true
   winbind offline logon = false
   username map = /etc/samba/smbusers.map
   debug level = 1
   smb ports = 139 445


   netbios name = MYSAMBAX09
   client use spnego = yes
#domain master = no
   map to guest = bad uid
   hide dot files = no
   invalid users = netrun


-- 
Thanks & Regards,
Shashi Kanth
9886455567
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20180425/3c19eeb1/attachment.html>


More information about the cifs-protocol mailing list