[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)

Andrew Bartlett abartlet at samba.org
Thu Apr 14 07:33:30 UTC 2016 

On Thu, 2016-04-14 at 09:27 +0200, Stefan Metzmacher wrote:
> Am 14.04.2016 um 08:56 schrieb Andrew Bartlett:
> > On Thu, 2016-04-14 at 08:35 +0200, Andreas Schneider wrote:
> > > Hello,
> > > 
> > > at least in Samba 3.6 we have 'server signing = false' as the
> > > default
> > > case. 
> > > With CVE-2016-2115 we have 'client ipc signing = required'. This
> > > means that 
> > > Samba clients which try a RPC connection to a PDC will fail
> > > because
> > > the server 
> > > doesn't support signing!
> > > 
> > > Shouldn't we set 'server singing = auto' as the default for all
> > > Samba
> > > versions 
> > > now?
> > 
> > The issue historically was that some Windows clients would
> > negotiate
> > signing if it was available, and so slow performance dramatically. 
> > 
> > Therefore almost everywhere it was disabled, and so useless for
> > many
> > years.
> > 
> > I do think that the 'client ipc signing = required' in non-ADS
> > situations is a challenging security/functionality tradeoff.  I
> > think
> > it should always have been required on the DC, no matter if classic
> > or
> > AD, but many classic DCs were also file servers.
> 
> It is only a problem with 3.6 and older, where we didn't implenent
> the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED logic.
> 
> With that logic in place client side required signing is always
> possible, similar to the SMB2 situation.
> 
> If you want to avoid changing the smb.conf for 3.6 DCs or members
> you need to implement FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED on
> client
> and server.
> 
> I'm not sure in which Windows versions this got implemented, but
> I guess all supported versions support
> FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.

Thanks.  We really should push for folks running 3.6 as a DC to upgrade
to 4.x as a classic DC.

That new joins fail without an smb.conf option is a reasonable nudge in
that case, once we get a few cases folks can find with google.

The irony is with the backported 3.6 not being able to join itself, but
that is life on the trailing edge :-)

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list