[PATCH] Change Samba 3.6 and 4 security defaults

Andrew Bartlett abartlet at samba.org
Fri Dec 3 23:20:51 MST 2010 

On Sat, 2010-12-04 at 09:46 +1100, Andrew Bartlett wrote:
> On Sat, 2010-12-04 at 09:40 +1100, Andrew Bartlett wrote:
> > On Fri, 2010-12-03 at 14:10 -0500, Goldberg, Neil R. wrote:
> > > The attached patch against the 3.5.x series changes the way smbd hints the client during the negotiation phase with a configuration flag.
> > 
> > The problem I have with this patch is that the previous behaviour was
> > against the relevant RFC, but we followed the Microsoft behaviour.  
> 
> I'm sorry.  As I re-read the patch after I sent that mail, I clearly got
> completely the wrong sense of this.  
> 
> I fully support your patch, but it should be for 3.6, and be on by
> default.  Additionally we should have the same or a similar switch
> control our clients use of this value. 

Attached is a series of patches that I would like to propose for 3.6, if
it's not too late (and for master as well).

The patches still need some work, but I wanted to start by discussing
the concept while I tidy up the details, confirm facts and make tests. 

I would like to improve Samba's security and conformance to match
Windows 2008, by:
 - removing the server-sent SPNEGO principal from the server-side
reply, 
 - not honouring it in the client 
 - using NTLMv2 by default in our client.

This should match the behaviour of Windows 2008 and Vista for avoiding
man-in-the-middle attacks relying on swapping of the target principal,
and in NTLMv2 change it slowly moves us on from the very poor
cryptography of the NTLM era.

This will change behaviour - some broken configurations were windows
does not use Kerberos will now also fall back to NTLMSSP, but as Neil
reported in his original mail, it will also fix real world
inconsistencies.  

In terms of unexpected interoperability issues, all these code paths
should already have been explored with Windows 2008 and Vista clients
and servers.  Likewise, all these options can be turned back on with
smb.conf and command line options (see the --option option) if required
on a particular connection. 

What do folks think?  Can we do this for 3.6?  Are there other security
options we should turn on?  (One that comes to mind is removing the
DES_ONLY bit added to our machine account by older versions of our join)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-spengo-Remove-target-server-principal-from-SPNEGO.patch
Type: text/x-patch
Size: 1311 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-spnego-Don-t-consider-not_defined_in_RFC4178-plea.patch
Type: text/x-patch
Size: 1174 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-libcli-auth-bring-ADS_IGNORE_PRINCIPAL-in-common.patch
Type: text/x-patch
Size: 2546 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-s3-libads-Default-to-NOT-using-the-server-supplied-p.patch
Type: text/x-patch
Size: 3720 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-s3-smbd-Don-t-send-SPNEGO-principal-rfc4178-hint-by-.patch
Type: text/x-patch
Size: 3441 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-s3-client-Use-NTLMv2-by-default-in-the-Samba-client.patch
Type: text/x-patch
Size: 1552 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-s4-client-Use-NTLMv2-by-default-in-the-Samba4-client.patch
Type: text/x-patch
Size: 1042 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0008-s4-tests-Workaround-new-default-of-client-ntlmv2-aut.patch
Type: text/x-patch
Size: 2576 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/c4b49bd8/attachment.pgp>

More information about the samba-technical mailing list