Security with Samba 3.0 and Kerberos
Antti Tikkanen
antti.tikkanen at hut.fi
Mon Apr 7 10:27:02 GMT 2003
On Sat, 5 Apr 2003, Andrew Bartlett wrote:
> I think the only way to 'fix' this would be to require SMB signing
> using kerberos (as an attacker would therefore not be able to craft any
> packets, once authenticated). This is an area of active interest for
> me, and if you want to help with getting it going I would very much
> appreciate it.
Hi Andrew,
I agree, requiring SMB signing would take care of the problem. As someone
stated in the other replies, the replay cache would not help much. It
would just make an attack a little bit harder. I think this is a real
problem with pure Windows 2000 domains as well (where servers have
replay caches), if you can't physically secure your LAN. The analogy with
plaintext passwords still stands.
I'm sorry but I don't think I would experienced enough to help actually
implement the cache (if it indeed is possible at all). Hopefully you
will still tackle this problem somehow.
Antti
--
Antti.Tikkanen at hut.fi
Helsinki University of Technology
Computing Centre
More information about the samba-technical
mailing list