Late security improvements and my work queue

[Andrew Bartlett]

On Mon, 2017-07-03 at 08:33 +0200, Stefan Metzmacher wrote:
> Am 03.07.2017 um 06:40 schrieb Andrew Bartlett via samba-technical:
> > On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-technical
> > wrote:
> > > Just a heads-up, that if I ever get free of ldb locking, I want to
> > > try
> > > and:
> > >  - enforce a setting of restrict anonymous = 2 on the AD DC
> > >    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
> > 
> > I've not managed this one yet, and it can still be set manually.
> 
> No, it's only available on an NT4 DC.
> 
> > >  - disable the s3 netlogon server when we are not a DC
> > >  - add a way to disable NTLM entirely
> > >    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> > 
> > Attached are patches (without tests yet) for this.  Please comment. 
> > 
> > It should be compatible with FreeIPA's use case, it only changes the
> > default and the FreeIPA server still appears to be a PDC for the
> > schannel case.
> 
> I like the attached patches, please also include the
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> tag for the block ntlm changes. I think if it passes the existing
> tests it would be ok to get into master (and 4.7.0rc1),
> additional test can follow later.

OK, Thanks.  Tim and I have prototype tests, but I'll make sure it gets
in tomorrow one way or the other. 

> I think we can introduce more advanced options like proposed here:
> https://bugzilla.samba.org/show_bug.cgi?id=11923#c10
> But that can be done after 4.7.0rc1.

I'm sure we can work something out.  I see we have a mutual desire to
tidy this area up.

I might even have time to look into the restrict anonymous thing, but
the day is short, and the cut-off looms :-)

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba