Late security improvements and my work queue
Andrew Bartlett
abartlet at samba.org
Mon Jul 3 09:26:22 UTC 2017
On Mon, 2017-07-03 at 19:38 +1200, Andrew Bartlett via samba-technical
wrote:
> On Mon, 2017-07-03 at 08:33 +0200, Stefan Metzmacher wrote:
> > Am 03.07.2017 um 06:40 schrieb Andrew Bartlett via samba-technical:
> > > On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-technical
> > > wrote:
> > > > Just a heads-up, that if I ever get free of ldb locking, I want to
> > > > try
> > > > and:
> > > > - enforce a setting of restrict anonymous = 2 on the AD DC
> > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
> > >
> > > I've not managed this one yet, and it can still be set manually.
> >
> > No, it's only available on an NT4 DC.
> >
> > > > - disable the s3 netlogon server when we are not a DC
> > > > - add a way to disable NTLM entirely
> > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> > >
> > > Attached are patches (without tests yet) for this. Please comment.
> > >
> > > It should be compatible with FreeIPA's use case, it only changes the
> > > default and the FreeIPA server still appears to be a PDC for the
> > > schannel case.
> >
> > I like the attached patches, please also include the
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
> > tag for the block ntlm changes. I think if it passes the existing
> > tests it would be ok to get into master (and 4.7.0rc1),
> > additional test can follow later.
>
> OK, Thanks. Tim and I have prototype tests, but I'll make sure it gets
> in tomorrow one way or the other.
It just passed 3/3 private autobuild runs in the Catalyst Cloud, so
I'll tidy up tomorrow, and get it in, ideally with a test or three :-)
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list