CVS update: samba/docs/docbook/projdoc
Andrew Bartlett
abartlet at samba.org
Sat May 10 17:47:30 EST 2003
On Sat, 2003-05-10 at 15:26, jht at samba.org wrote:
>
> Date: Sat May 10 05:26:48 2003
> Author: jht
>
> Update of /home/cvs/samba/docs/docbook/projdoc
> In directory dp.samba.org:/tmp/cvs-serv23071
>
> Modified Files:
> Samba-BDC-HOWTO.xml Samba-PDC-HOWTO.xml ServerType.xml
> Log Message:
> Fixes for typos and other stuff resulting from VL's feedback.
@@ -418,10 +433,12 @@
</para></note>
<note><para>
-<emphasis>Server level</emphasis> security is incompatible with what is
known as
-<emphasis>schannel</emphasis> or <emphasis>sign and seal</emphasis>
protocols. This means that
-if you want to use <emphasis>server</emphasis> level security you must
disable the use of
-<emphasis>sign and seal</emphasis> on all machines on your network.
+<emphasis>Server level</emphasis> security is incompatible with the
newer security features
+in recent MS Windows networking protocols. In particular it is
incompatible with NTLMv2.
+Server Mode security also breaks Sign and Seal interoperability because
only a domain member
+can sign packets in the manner in which it is currently implemented in
Samba-3.
+If you chose to use Server Mode security this means it is necessary to
disable Sign and Seal
+on all workstations.
</para></note>
<sect3>
Grr, almost every statement in this diff is incorrect...
Security=server is perfectly compatible with NTLMv2 - there is nothing
that prevents an active man-in-the-middle attack on NTLMv2, which is all
security=server is.
SMB signing isn't implemented yet, but it's not the thing that we have
so badly misnamed 'signorseal'. As this server is not a DC, that
registry patch does not apply anyway.
The things security=server breaks are SMB signing and other things that
use the session key - notably local user management.
It is a valid, and unlike in Samba 2.2, workable solution to some
authentication problems. (The use of NTLMSSP in Samba 3.0 makes
security=server reliable, if not desirable).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-cvs/attachments/20030510/611b64a6/attachment.bin
More information about the samba-cvs
mailing list