Late security improvements and my work queue
abartlet at samba.org
Mon Jul 3 07:38:34 UTC 2017
On Mon, 2017-07-03 at 08:33 +0200, Stefan Metzmacher wrote:
> Am 03.07.2017 um 06:40 schrieb Andrew Bartlett via samba-technical:
> > On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-technical
> > wrote:
> > > Just a heads-up, that if I ever get free of ldb locking, I want to
> > > try
> > > and:
> > > - enforce a setting of restrict anonymous = 2 on the AD DC
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
> > I've not managed this one yet, and it can still be set manually.
> No, it's only available on an NT4 DC.
> > > - disable the s3 netlogon server when we are not a DC
> > > - add a way to disable NTLM entirely
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> > Attached are patches (without tests yet) for this. Please comment.
> > It should be compatible with FreeIPA's use case, it only changes the
> > default and the FreeIPA server still appears to be a PDC for the
> > schannel case.
> I like the attached patches, please also include the
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> tag for the block ntlm changes. I think if it passes the existing
> tests it would be ok to get into master (and 4.7.0rc1),
> additional test can follow later.
OK, Thanks. Tim and I have prototype tests, but I'll make sure it gets
in tomorrow one way or the other.
> I think we can introduce more advanced options like proposed here:
> But that can be done after 4.7.0rc1.
I'm sure we can work something out. I see we have a mutual desire to
tidy this area up.
I might even have time to look into the restrict anonymous thing, but
the day is short, and the cut-off looms :-)
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical