Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)
jra at samba.org
Thu Dec 17 02:41:41 UTC 2015
On Thu, Dec 17, 2015 at 12:52:01PM +1300, Andrew Bartlett wrote:
> On Wed, 2015-12-16 at 11:37 -0800, Jeremy Allison wrote:
> > On Tue, Dec 15, 2015 at 09:37:21PM +0100, Andreas Schneider wrote:
> > > On Tuesday 15 December 2015 11:12:27 Jeremy Allison wrote:
> > > > On Tue, Dec 15, 2015 at 08:26:50AM +0100, Andreas Schneider
> > > > wrote:
> > > > > You are aware that Samba with Heimdal Kerberos does RC4 by
> > > > > default?
> > > > >
> > > > > We fixed serveral bugs (e.g. wrong saltPrincipal) in the Samba
> > > > > source code
> > > > > because MIT Kerberos uses AES and Samba was not able to deal
> > > > > with it. It
> > > > > still fails to do so without patches from my MIT Kerberos work
> > > > > in
> > > > > progress tree ...
> > > > The faster we get that code merged, the happier I will be :-).
> > >
> > > You can start to review the code. Nobody reviewed mit_samba and
> > > mit-kdb yet
> > > ...
> > >
> > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/mast
> > > er-mit-kdc
> > I will try and get to this. My problem is I don't have a test
> > environment for it, but I can certainly review the raw patches.
> I'm very happy to talk you through setting up a test environment. Just
> let me know.
Home sick with bronchitis at the moment, but just wanted
to say I really appreciate the offer and will take you
up on this as soon as my brain starts working again (might
be after Christmas though :-).
More information about the samba-technical