CVS update: samba/docs/docbook/projdoc

Andrew Bartlett abartlet at samba.org
Sat May 10 17:47:30 EST 2003 

On Sat, 2003-05-10 at 15:26, jht at samba.org wrote:
> 
> Date:	Sat May 10 05:26:48 2003
> Author:	jht
> 
> Update of /home/cvs/samba/docs/docbook/projdoc
> In directory dp.samba.org:/tmp/cvs-serv23071
> 
> Modified Files:
> 	Samba-BDC-HOWTO.xml Samba-PDC-HOWTO.xml ServerType.xml 
> Log Message:
> Fixes for typos and other stuff resulting from VL's feedback.

@@ -418,10 +433,12 @@
 </para></note>
 
 <note><para>
-<emphasis>Server level</emphasis> security is incompatible with what is
known as
-<emphasis>schannel</emphasis> or <emphasis>sign and seal</emphasis>
protocols. This means that
-if you want to use <emphasis>server</emphasis> level security you must
disable the use of
-<emphasis>sign and seal</emphasis> on all machines on your network.
+<emphasis>Server level</emphasis> security is incompatible with the
newer security features
+in recent MS Windows networking protocols. In particular it is
incompatible with NTLMv2.
+Server Mode security also breaks Sign and Seal interoperability because
only a domain member
+can sign packets in the manner in which it is currently implemented in
Samba-3. 
+If you chose to use Server Mode security this means it is necessary to
disable Sign and Seal
+on all workstations.
 </para></note>
 
 <sect3>

Grr, almost every statement in this diff is incorrect...

Security=server is perfectly compatible with NTLMv2 - there is nothing
that prevents an active man-in-the-middle attack on NTLMv2, which is all
security=server is.

SMB signing isn't implemented yet, but it's not the thing that we have
so badly misnamed 'signorseal'.  As this server is not a DC, that
registry patch does not apply anyway.  

The things security=server breaks are SMB signing and other things that
use the session key - notably local user management.

It is a valid, and unlike in Samba 2.2, workable solution to some
authentication problems.  (The use of NTLMSSP in Samba 3.0 makes
security=server reliable, if not desirable).

Andrew Bartlett  

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-cvs/attachments/20030510/611b64a6/attachment.bin

More information about the samba-cvs mailing list