[PATCH] Change Samba 3.6 and 4 security defaults
Andrew Bartlett
abartlet at samba.org
Thu Dec 9 01:48:16 MST 2010
On Sat, 2010-12-04 at 17:20 +1100, Andrew Bartlett wrote:
> I would like to improve Samba's security and conformance to match
> Windows 2008, by:
> - removing the server-sent SPNEGO principal from the server-side
> reply,
> - not honouring it in the client
> - using NTLMv2 by default in our client.
>
> This should match the behaviour of Windows 2008 and Vista for avoiding
> man-in-the-middle attacks relying on swapping of the target principal,
> and in NTLMv2 change it slowly moves us on from the very poor
> cryptography of the NTLM era.
>
> This will change behaviour - some broken configurations were windows
> does not use Kerberos will now also fall back to NTLMSSP, but as Neil
> reported in his original mail, it will also fix real world
> inconsistencies.
>
> In terms of unexpected interoperability issues, all these code paths
> should already have been explored with Windows 2008 and Vista clients
> and servers. Likewise, all these options can be turned back on with
> smb.conf and command line options (see the --option option) if required
> on a particular connection.
>
> What do folks think? Can we do this for 3.6? Are there other security
> options we should turn on? (One that comes to mind is removing the
> DES_ONLY bit added to our machine account by older versions of our join)
I'm continuing to test the attached series of patches, which I hope to
have in the tree in the near future. The revised patches rework a few
matters of detail, build on the parts I've already pushed (the changes
to Samba4) and add documentation.
Please let me know if you have any comments or objections.
One question I have is: should we mark the new parameters as deprecated?
I would hope not to need to support the SPNEGO principal at all at some
point in the future (Samba4 now never sends it, for example, and has
always defaults to not honouring it).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-smbd-Don-t-send-SPNEGO-principal-rfc4178-hint-by-.patch
Type: text/x-patch
Size: 3441 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101209/a9ca4cbb/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-libads-Default-to-NOT-using-the-server-supplied-p.patch
Type: text/x-patch
Size: 4328 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101209/a9ca4cbb/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-s3-docs-Explain-change-to-NTLMv2-by-default-in-the-c.patch
Type: text/x-patch
Size: 1854 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101209/a9ca4cbb/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-s3-docs-Add-docs-for-client-use-spnego-principal-and.patch
Type: text/x-patch
Size: 3740 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101209/a9ca4cbb/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s3-client-Use-NTLMv2-by-default-in-the-Samba-client.patch
Type: text/x-patch
Size: 1552 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101209/a9ca4cbb/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101209/a9ca4cbb/attachment.pgp>
More information about the samba-technical
mailing list