Late security improvements and my work queue
metze at samba.org
Mon Jul 3 06:33:40 UTC 2017
Am 03.07.2017 um 06:40 schrieb Andrew Bartlett via samba-technical:
> On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-technical
>> Just a heads-up, that if I ever get free of ldb locking, I want to
>> - enforce a setting of restrict anonymous = 2 on the AD DC
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
> I've not managed this one yet, and it can still be set manually.
No, it's only available on an NT4 DC.
>> - disable the s3 netlogon server when we are not a DC
>> - add a way to disable NTLM entirely
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> Attached are patches (without tests yet) for this. Please comment.
> It should be compatible with FreeIPA's use case, it only changes the
> default and the FreeIPA server still appears to be a PDC for the
> schannel case.
I like the attached patches, please also include the
tag for the block ntlm changes. I think if it passes the existing
tests it would be ok to get into master (and 4.7.0rc1),
additional test can follow later.
I think we can introduce more advanced options like proposed here:
But that can be done after 4.7.0rc1.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical