[Samba] Hardened UNC Paths, Badlock, encryption defaults?
Klaus Hartnegg
hartnegg at uni-freiburg.de
Sun Jun 12 17:25:40 UTC 2016
Hi,
Microsoft some time ago introduced Hardened UNC Paths, and in April
published the Badlock security fixes, which seem to be related to that.
Samba at the same time published versions 4.4.1 (and 4.4.2).
Even after reading the release notes of Samba 4.4.1 several times, I
still do not know whether I must manually adjust smb.conf to be
protected from these vulnerabilities.
What I do know is that Windows 10 cannot access the Netlogon share of
samba-4.4.3 running as NT4-DC, unless I disable
RequireMutualAuthentication and RequireIntegrity on the clients.
Is this the way it is intended to work, or should Samba with activated
badlock patches provide Authentication and Integrity?
Would this configuration also work with older Windows Clients (mostly
Win7, but one has to be XP for a few more weeks).
Is there a difference in UNC hardening and Badlock patches when Samba
runs as NT4-PDC compared with running as AD-DC?
And probably related: can the connection from Windows to Samba be fully
encrypted? I suspect this requires at least Windows 8 and Samba 4.4.2,
right?
Must samba be running as AD-DC?
Is full encryption default in that combination?
If not what must be done to activate it? Same as for activating badlock
protection?
Klaus
More information about the samba
mailing list