Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)
Andrew Bartlett
abartlet at samba.org
Wed Dec 16 23:52:01 UTC 2015
On Wed, 2015-12-16 at 11:37 -0800, Jeremy Allison wrote:
> On Tue, Dec 15, 2015 at 09:37:21PM +0100, Andreas Schneider wrote:
> > On Tuesday 15 December 2015 11:12:27 Jeremy Allison wrote:
> > > On Tue, Dec 15, 2015 at 08:26:50AM +0100, Andreas Schneider
> > > wrote:
> > > > You are aware that Samba with Heimdal Kerberos does RC4 by
> > > > default?
> > > >
> > > > We fixed serveral bugs (e.g. wrong saltPrincipal) in the Samba
> > > > source code
> > > > because MIT Kerberos uses AES and Samba was not able to deal
> > > > with it. It
> > > > still fails to do so without patches from my MIT Kerberos work
> > > > in
> > > > progress tree ...
> > > The faster we get that code merged, the happier I will be :-).
> >
> > You can start to review the code. Nobody reviewed mit_samba and
> > mit-kdb yet
> > ...
> >
> > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/mast
> > er-mit-kdc
>
> I will try and get to this. My problem is I don't have a test
> environment for it, but I can certainly review the raw patches.
I'm very happy to talk you through setting up a test environment. Just
let me know.
For others playing along at home, I find these things very helpful:
I use libvirt/KVM, so I bind Samba on lo and virbr0:0, an additional
alias of my virbr0 interface. This keeps Samba off the LAN, and just
facing the virtual machines.
I run BIND9 on my workstation. I run the BIND9_DLZ, so I set it up
with the instructions in named.txt after provision. I point
/etc/resolv.conf at 127.0.0.1 and BIND9 at the upstream DNS severs for
recursion.
The main setting is just:
options {
forwarders {
upstream_dns_ip;
};
forward only;
listen-on {
192.168.252.5;
127.0.0.1;
};
dnssec-validation no;
}
include "/data/samba/samba4/prefix/private/named.conf";
If I'm testing the internal DNS, I drop the listen from 192.168.252.5
and set:
zone "s4.samba.example.com" {
type forward;
forward only;
forwarders {
192.168.252.5;
};
};
BTW, All this requires turning off the dnsmasq that Ubuntu runs via
networkmanager, if you use that.
The rest is really just per the HOWTO - install, provision, run, join
clients.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list