[Samba] NTLMSSP Sign/Seal - using NTLM1

Vincent techburgher at gmail.com
Fri Aug 25 19:07:30 UTC 2023 

Could CVE-2022-38023 be impacting this issue (
https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25)?
Samba version 4.7.12 is in use, and per the Samba advisory on this issue (
https://www.samba.org/samba/security/CVE-2022-38023.html), a change to
smb.conf was made:

   server schannel require seal = yes        # the default

This configuration option is not supported within 4.7.12.


On Thu, Aug 24, 2023 at 10:32 AM Vincent <techburgher at gmail.com> wrote:

> So, curiously, it *appears* the following may have sped up the mount:
>
>    -
>
>    Manually modified the smb.conf file, where the following changes were
>    made: Added:
>    -
>
>       client NTLMv2 auth = yes
>       -
>
>       client min protocol = SMB2_02
>       -
>
>    From a Linux client, performed a cifs mount, forcing the following
>    parameters (ntlmssp,vers=3.0)
>
> Unfortunately, connections from a Windows client are still slow. I am not
> sure if it is possible to make a comparable "mount", from Windows, similar
> to the one performed on the Linux client.
>
> On Tue, Jul 11, 2023 at 3:49 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>>
>>
>> On 10/07/2023 22:15, Vincent via samba wrote:
>> > Samba is running on SUSE Linux Enterprise High Performance Computing,
>> > kernel 5.3.18-22-default.
>> >
>> > Yes, it is a domain member, but there are no ancillary services of
>> which I
>> > am aware.
>> >
>> > The smb.conf is as follows:
>> >
>> > [global]
>> >          clustering = Yes
>> >          getwd cache = No
>> >          kernel change notify = No
>> >          max log size = 100000
>> >          netbios name = TEST-SMB
>> >          realm = TEST.COM
>> >          security = ADS
>> >          server min protocol = SMB2_02
>> >          server string = "TEST-SMB"
>> >          workgroup = TESTNET
>> >          idmap config * : range = 4290000001-4291000000
>> >          idmap config abbvienet : unix_nss_info = yes
>> >          idmap config abbvienet : unix_primary_group = yes
>> >          idmap config abbvienet : schema_mode = rfc2307
>> >          idmap config abbvienet : range = 0-4290000000
>> >          idmap config abbvienet : backend = ad
>> >          idmap config * : backend = autorid
>> >          allocation roundup size = 0
>> >          kernel share modes = No
>> >          posix locking = No
>> >          read only = No
>> >          veto files = /.snapshots/
>> >
>>
>> Is this part of a cluster ?
>> If it is, I would have expected to see more 'cluster' related
>> parameters, but I am no cluster expert.
>>
>> Is the workgroup actually 'TESTNET', or is that just a placeholder for '
>> ABBVINET' ?
>> If your workgroup is really 'ABBVINET', then why are you using both the
>> 'autorid' and 'ad' idmap backends ?
>>
>> If you only want to use the SMBv2 protocol as a minimum, I would also
>> set 'client min protocol = SMB2_02', with that set, SMBv1 will not be
>> used.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list