Late security improvements and my work queue
Stefan Metzmacher
metze at samba.org
Mon Jul 3 06:33:40 UTC 2017
Am 03.07.2017 um 06:40 schrieb Andrew Bartlett via samba-technical:
> On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-technical
> wrote:
>> Just a heads-up, that if I ever get free of ldb locking, I want to
>> try
>> and:
>> - enforce a setting of restrict anonymous = 2 on the AD DC
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
>
> I've not managed this one yet, and it can still be set manually.
No, it's only available on an NT4 DC.
>> - disable the s3 netlogon server when we are not a DC
>> - add a way to disable NTLM entirely
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
>
> Attached are patches (without tests yet) for this. Please comment.
>
> It should be compatible with FreeIPA's use case, it only changes the
> default and the FreeIPA server still appears to be a PDC for the
> schannel case.
I like the attached patches, please also include the
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
tag for the block ntlm changes. I think if it passes the existing
tests it would be ok to get into master (and 4.7.0rc1),
additional test can follow later.
I think we can introduce more advanced options like proposed here:
https://bugzilla.samba.org/show_bug.cgi?id=11923#c10
But that can be done after 4.7.0rc1.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170703/b06679c8/signature.sig>
More information about the samba-technical
mailing list