[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)

Andrew Bartlett abartlet at samba.org
Thu Apr 14 06:56:01 UTC 2016

On Thu, 2016-04-14 at 08:35 +0200, Andreas Schneider wrote:
> Hello,
> at least in Samba 3.6 we have 'server signing = false' as the default
> case. 
> With CVE-2016-2115 we have 'client ipc signing = required'. This
> means that 
> Samba clients which try a RPC connection to a PDC will fail because
> the server 
> doesn't support signing!
> Shouldn't we set 'server singing = auto' as the default for all Samba
> versions 
> now?

The issue historically was that some Windows clients would negotiate
signing if it was available, and so slow performance dramatically. 

Therefore almost everywhere it was disabled, and so useless for many

I do think that the 'client ipc signing = required' in non-ADS
situations is a challenging security/functionality tradeoff.  I think
it should always have been required on the DC, no matter if classic or
AD, but many classic DCs were also file servers.

Naturally, without it required in both directions (modern windows
requires it for sysvol and netlogon against an AD DC at least), MITM
attacks in both directions are trivial against SMB, no need for DCE/RPC

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list