[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)
Andrew Bartlett
abartlet at samba.org
Thu Apr 14 06:56:01 UTC 2016
On Thu, 2016-04-14 at 08:35 +0200, Andreas Schneider wrote:
> Hello,
>
> at least in Samba 3.6 we have 'server signing = false' as the default
> case.
> With CVE-2016-2115 we have 'client ipc signing = required'. This
> means that
> Samba clients which try a RPC connection to a PDC will fail because
> the server
> doesn't support signing!
>
> Shouldn't we set 'server singing = auto' as the default for all Samba
> versions
> now?
The issue historically was that some Windows clients would negotiate
signing if it was available, and so slow performance dramatically.
Therefore almost everywhere it was disabled, and so useless for many
years.
I do think that the 'client ipc signing = required' in non-ADS
situations is a challenging security/functionality tradeoff. I think
it should always have been required on the DC, no matter if classic or
AD, but many classic DCs were also file servers.
Naturally, without it required in both directions (modern windows
requires it for sysvol and netlogon against an AD DC at least), MITM
attacks in both directions are trivial against SMB, no need for DCE/RPC
wizardry.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list