Late security improvements and my work queue
Andrew Bartlett
abartlet at samba.org
Tue Jul 4 02:19:24 UTC 2017
On Mon, 2017-07-03 at 21:26 +1200, Andrew Bartlett via samba-technical
wrote:
> On Mon, 2017-07-03 at 19:38 +1200, Andrew Bartlett via samba-
> technical
> wrote:
> > On Mon, 2017-07-03 at 08:33 +0200, Stefan Metzmacher wrote:
> > > Am 03.07.2017 um 06:40 schrieb Andrew Bartlett via samba-
> > > technical:
> > > > On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-
> > > > technical
> > > > wrote:
> > > > > Just a heads-up, that if I ever get free of ldb locking, I
> > > > > want to
> > > > > try
> > > > > and:
> > > > > - enforce a setting of restrict anonymous = 2 on the AD DC
> > > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
> > > >
> > > > I've not managed this one yet, and it can still be set
> > > > manually.
> > >
> > > No, it's only available on an NT4 DC.
> > >
> > > > > - disable the s3 netlogon server when we are not a DC
> > > > > - add a way to disable NTLM entirely
> > > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> > > >
> > > > Attached are patches (without tests yet) for this. Please
> > > > comment.
> > > >
> > > > It should be compatible with FreeIPA's use case, it only
> > > > changes the
> > > > default and the FreeIPA server still appears to be a PDC for
> > > > the
> > > > schannel case.
> > >
> > > I like the attached patches, please also include the
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> > > tag for the block ntlm changes. I think if it passes the existing
> > > tests it would be ok to get into master (and 4.7.0rc1),
> > > additional test can follow later.
> >
> > OK, Thanks. Tim and I have prototype tests, but I'll make sure it
> > gets
> > in tomorrow one way or the other.
>
> It just passed 3/3 private autobuild runs in the Catalyst Cloud, so
> I'll tidy up tomorrow, and get it in, ideally with a test or three :-
> )
It has been pushed to master, with 3 tests:
- disabling netlogon works as expected (it didn't in the previous
patches)
- the mschapv2 options work as expected
- that ntlm auth = disabled works as expected.
This is in Garming's autobuild now.
Thanks!
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list