[PATCH] Change Samba 3.6 and 4 security defaults

Andrew Bartlett abartlet at samba.org
Fri Dec 10 01:57:15 MST 2010

On Thu, 2010-12-09 at 19:48 +1100, Andrew Bartlett wrote:
> On Sat, 2010-12-04 at 17:20 +1100, Andrew Bartlett wrote:
> > I would like to improve Samba's security and conformance to match
> > Windows 2008, by:
> >  - removing the server-sent SPNEGO principal from the server-side
> > reply, 
> >  - not honouring it in the client 
> >  - using NTLMv2 by default in our client.
> > 
> > This should match the behaviour of Windows 2008 and Vista for avoiding
> > man-in-the-middle attacks relying on swapping of the target principal,
> > and in NTLMv2 change it slowly moves us on from the very poor
> > cryptography of the NTLM era.
> > 
> > This will change behaviour - some broken configurations were windows
> > does not use Kerberos will now also fall back to NTLMSSP, but as Neil
> > reported in his original mail, it will also fix real world
> > inconsistencies.  
> > 
> > In terms of unexpected interoperability issues, all these code paths
> > should already have been explored with Windows 2008 and Vista clients
> > and servers.  Likewise, all these options can be turned back on with
> > smb.conf and command line options (see the --option option) if required
> > on a particular connection. 
> > 
> > What do folks think?  Can we do this for 3.6?  Are there other security
> > options we should turn on?  (One that comes to mind is removing the
> > DES_ONLY bit added to our machine account by older versions of our join)
> I'm continuing to test the attached series of patches, which I hope to
> have in the tree in the near future.  The revised patches rework a few
> matters of detail, build on the parts I've already pushed (the changes
> to Samba4) and add documentation. 
> Please let me know if you have any comments or objections. 
> One question I have is: should we mark the new parameters as deprecated?
> I would hope not to need to support the SPNEGO principal at all at some
> point in the future (Samba4 now never sends it, for example, and has
> always defaults to not honouring it). 

After positive feedback from Jermey on IRC and a request from GD that I
improve the 'guess server principal name' codepath (it needed work, and
I've done that work), I've pushed these. 

This may still change things that I've not yet tested or considered, so
I'll wait until after the weekend to merge to 3.6. 


Thanks for suggesting this.  This is a good time to improve these
defaults.  We can also consider the SPNEGO server patch for 3.5 if you
like.  If so, check the patch applies and works, give it the opposite
default and file a bug in bugzilla.  That will start the process for
changes in the 3.5 series. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101210/3de268be/attachment.pgp>

More information about the samba-technical mailing list