Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)

Wed Dec 16 23:52:01 UTC 2015

On Wed, 2015-12-16 at 11:37 -0800, Jeremy Allison wrote:
> On Tue, Dec 15, 2015 at 09:37:21PM +0100, Andreas Schneider wrote:
> > On Tuesday 15 December 2015 11:12:27 Jeremy Allison wrote:
> > > On Tue, Dec 15, 2015 at 08:26:50AM +0100, Andreas Schneider
> > > wrote:
> > > > You are aware that Samba with Heimdal Kerberos does RC4 by
> > > > default?
> > > > 
> > > > We fixed serveral bugs (e.g. wrong saltPrincipal) in the Samba
> > > > source code
> > > > because MIT Kerberos uses AES and Samba was not able to deal
> > > > with it. It
> > > > still fails to do so without patches from my MIT Kerberos work
> > > > in
> > > > progress tree ...
> > > The faster we get that code merged, the happier I will be :-).
> > 
> > You can start to review the code. Nobody reviewed mit_samba and
> > mit-kdb yet 
> > ...
> > 
> > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/mast
> > er-mit-kdc
> 
> I will try and get to this. My problem is I don't have a test
> environment for it, but I can certainly review the raw patches.

I'm very happy to talk you through setting up a test environment.  Just
let me know.

For others playing along at home, I find these things very helpful:

I use libvirt/KVM, so I bind Samba on lo and virbr0:0, an additional
alias of my virbr0 interface.  This keeps Samba off the LAN, and just
facing the virtual machines.

I run BIND9 on my workstation.  I run the BIND9_DLZ, so I set it up
with the instructions in named.txt after provision.  I point
/etc/resolv.conf at 127.0.0.1 and BIND9 at the upstream DNS severs for
recursion.

The main setting is just:
options {
        forwarders {
                upstream_dns_ip;
        };

        forward only;
        listen-on {
                  192.168.252.5;
                  127.0.0.1;
        };
        dnssec-validation no;
}

include "/data/samba/samba4/prefix/private/named.conf";

If I'm testing the internal DNS, I drop the listen from 192.168.252.5
and set:

zone "s4.samba.example.com" {
     type forward;
     forward only;
     forwarders {
               192.168.252.5;
     };
};

BTW, All this requires turning off the dnsmasq that Ubuntu runs via
networkmanager, if you use that.

The rest is really just per the HOWTO - install, provision, run, join
clients.  

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba