Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)
Andreas Schneider
asn at samba.org
Thu Dec 17 05:38:19 UTC 2015
On Wednesday 16 December 2015 18:41:41 Jeremy Allison wrote:
> On Thu, Dec 17, 2015 at 12:52:01PM +1300, Andrew Bartlett wrote:
> > On Wed, 2015-12-16 at 11:37 -0800, Jeremy Allison wrote:
> > > On Tue, Dec 15, 2015 at 09:37:21PM +0100, Andreas Schneider wrote:
> > > > On Tuesday 15 December 2015 11:12:27 Jeremy Allison wrote:
> > > > > On Tue, Dec 15, 2015 at 08:26:50AM +0100, Andreas Schneider
> > > > >
> > > > > wrote:
> > > > > > You are aware that Samba with Heimdal Kerberos does RC4 by
> > > > > > default?
> > > > > >
> > > > > > We fixed serveral bugs (e.g. wrong saltPrincipal) in the Samba
> > > > > > source code
> > > > > > because MIT Kerberos uses AES and Samba was not able to deal
> > > > > > with it. It
> > > > > > still fails to do so without patches from my MIT Kerberos work
> > > > > > in
> > > > > > progress tree ...
> > > > >
> > > > > The faster we get that code merged, the happier I will be :-).
> > > >
> > > > You can start to review the code. Nobody reviewed mit_samba and
> > > > mit-kdb yet
> > > > ...
> > > >
> > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/mast
> > > > er-mit-kdc
> > >
> > > I will try and get to this. My problem is I don't have a test
> > > environment for it, but I can certainly review the raw patches.
> >
> > I'm very happy to talk you through setting up a test environment. Just
> > let me know.
>
> Home sick with bronchitis at the moment, but just wanted
> to say I really appreciate the offer and will take you
> up on this as soon as my brain starts working again (might
> be after Christmas though :-).
'make testenv'
and you have a terminal for some fun :)
I haven't run 'make test' for quite a while but the last time all tests passed
...
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list