Re: Call for testing: upcoming samba security update
On 12/04/16 21:27, Salvatore Bonaccorso wrote:
> Hi
>
> The upcoming Samba update is bigger than usual since for Jessie an
> update is needed to 4.2. We want to expose the package a bit more for
> additional testing. Please test the packages found on
[snip]
Hi folks,
So I missed the testing window and the updates are now out. There are a
few problems, mostly with the NEWS.Debian file, which may lead to
confusion and/or further issues.
Firstly:
> Finally, two important configuration options should be considered,
> that we were unable to silently change defaults for:
> - smb signing = required
> - ntlm auth = no
>
> Without smb signing = required, Man in the Middle attacks are
> still possible against our file server and classic/NT4-like/Samba3
> Domain controller. (It is now enforced on our AD DC.)
There is no parameter named "smb signing" in smb.conf, and Samba rightly
complains:
> [2016/04/14 09:43:53, 0] ../lib/param/loadparm.c:743(lpcfg_map_parameter)
> Unknown parameter encountered: "smb signing"
> [2016/04/14 09:43:53, 0] ../lib/param/loadparm.c:1626(lpcfg_do_global_parameter)
> Ignoring unknown parameter "smb signing"
I suspect you meant one/several of "client ipc signing", "client
signing" and/or "server signing" instead. Can you please clarify?
Secondly:
When running a Samba 4 DC, the shift from 4.1 to 4.2 brings some major
changes with it and people's smb.conf will need changing. The "server
services" line needs "winbind" replacing with "winbindd", and the user
must ensure the winbind package is installed. Otherwise, Samba will
silently fail to provide a working DC.
I will report these bugs on the samba package once I finish putting out
some fires caused by all of this...
HTH,
Chris
--
Chris Boot
Tiger Computing Ltd
ISO27001:2013 Certified
Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk
Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
Wyastone Leys, Monmouth, NP25 3SR
Reply to: