[Samba] NTLMSSP Sign/Seal - using NTLM1
techburgher at gmail.com
Fri Aug 25 19:07:30 UTC 2023
Could CVE-2022-38023 be impacting this issue (
Samba version 4.7.12 is in use, and per the Samba advisory on this issue (
https://www.samba.org/samba/security/CVE-2022-38023.html), a change to
smb.conf was made:
server schannel require seal = yes # the default
This configuration option is not supported within 4.7.12.
On Thu, Aug 24, 2023 at 10:32 AM Vincent <techburgher at gmail.com> wrote:
> So, curiously, it *appears* the following may have sped up the mount:
> Manually modified the smb.conf file, where the following changes were
> made: Added:
> client NTLMv2 auth = yes
> client min protocol = SMB2_02
> From a Linux client, performed a cifs mount, forcing the following
> parameters (ntlmssp,vers=3.0)
> Unfortunately, connections from a Windows client are still slow. I am not
> sure if it is possible to make a comparable "mount", from Windows, similar
> to the one performed on the Linux client.
> On Tue, Jul 11, 2023 at 3:49 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>> On 10/07/2023 22:15, Vincent via samba wrote:
>> > Samba is running on SUSE Linux Enterprise High Performance Computing,
>> > kernel 5.3.18-22-default.
>> > Yes, it is a domain member, but there are no ancillary services of
>> which I
>> > am aware.
>> > The smb.conf is as follows:
>> > [global]
>> > clustering = Yes
>> > getwd cache = No
>> > kernel change notify = No
>> > max log size = 100000
>> > netbios name = TEST-SMB
>> > realm = TEST.COM
>> > security = ADS
>> > server min protocol = SMB2_02
>> > server string = "TEST-SMB"
>> > workgroup = TESTNET
>> > idmap config * : range = 4290000001-4291000000
>> > idmap config abbvienet : unix_nss_info = yes
>> > idmap config abbvienet : unix_primary_group = yes
>> > idmap config abbvienet : schema_mode = rfc2307
>> > idmap config abbvienet : range = 0-4290000000
>> > idmap config abbvienet : backend = ad
>> > idmap config * : backend = autorid
>> > allocation roundup size = 0
>> > kernel share modes = No
>> > posix locking = No
>> > read only = No
>> > veto files = /.snapshots/
>> Is this part of a cluster ?
>> If it is, I would have expected to see more 'cluster' related
>> parameters, but I am no cluster expert.
>> Is the workgroup actually 'TESTNET', or is that just a placeholder for '
>> ABBVINET' ?
>> If your workgroup is really 'ABBVINET', then why are you using both the
>> 'autorid' and 'ad' idmap backends ?
>> If you only want to use the SMBv2 protocol as a minimum, I would also
>> set 'client min protocol = SMB2_02', with that set, SMBv1 will not be
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba