Samba Netlogon 128bit
Ben Christenbury (FEDERAL)
benchri at microsoft.com
Wed Nov 4 08:01:14 MST 2009
Please excuse the interruption of your day to this massive list but I have a technical follow-up to the posting below.
My question is in which distribution available currently or planned could our mutual customer use that would support 138bit encryption for net logon to establish a secure channel for Samba servers that are a member of a windows 2008 domain. Note as below posted on the Samba support webpages below Windows Domain must downgrade to NT Crypto (<128bit) in order to allow Samba servers to join a domain. Please note in the Federal Practice which I serve, DISA and NIST prohibit this so the Microsoft recommended solution is to upgrade Samba to a version that meets this requirement. Since this request come to us frequently as all federal agencies scramble to meet these requirements, I would like to Document which version meet this requirement.
Thanks in advance for your time and consideration of this request.
On Wed, 2008-01-23 at 13:21 -0800, Jeremy Allison wrote:
> On Wed, Jan 23, 2008 at 01:16:36PM -0800, Matt Geddes wrote:
> > On Jan 23, 2008 12:59 PM, Jeremy Allison <jra at samba.org<https://lists.samba.org/mailman/listinfo/samba-technical>> wrote:
> >
> > > This looks good to me. I'm forward porting to 3.2.x and
> > > Jerry has promised to test (I'm in OOXML-hell right now :-).
> >
> > No problems. Apologies for it being against an older sourcebase, but
> > the patch should apply pretty cleanly to 3.2.x.
> >
> > Incidentally, looking at the neg_flags vs 2K8 problems that have been
> > floating around, there's a new registry entry in Windows 2008 Server
> > that causes lsass.exe to skip the check it does for
> > NETLOGON_NEG_128BIT. Set the following to a non-zero value on the DCs
> > and stop/start netlogon and you can join NT 4 and Samba 3 without any
> > of those pesky NetrServerAuthenticate2-returning-0xc0000388 problems:
> >
> > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\AllowNT4Crypto
> >
> > It's a 32-bit DWORD.
>
> Thanks for that, but we'll just ensure we do the 128bit crypto :-).
It's still probably worth documenting for people that have to use older
versions of samba for a while.
Thanks Matt.
Yep. For those early adopters that'll install 2K8 when released, but
still use some distro-packaged version of Samba from 18 months ago.
Simo.
Do you have enough info to document it, or is there something more I
can grab for you? Did you want me to scribble something down or create
a .reg file or something?
thx,
Matt
It would be useful if you had time to create a patch against our docs,
that state what we discussed, including the fact this will be fixed and
unnecessary for 3.2.x
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org<https://lists.samba.org/mailman/listinfo/samba-technical>>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com<https://lists.samba.org/mailman/listinfo/samba-technical>>
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org<https://lists.samba.org/mailman/listinfo/samba-technical>>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com<https://lists.samba.org/mailman/listinfo/samba-technical>>
Ben Christenbury
MICROSOFT DSE Federal Civilian Enterprise Services
This E-mail and any of its attachments may contain Microsoft proprietary information, which is privileged, confidential, or subject to copyright belonging to Microsoft Corporation. This E-mail is intended solely for the internal use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
More information about the samba-technical
mailing list