Re: Call for testing: upcoming samba security update
On 14/04/16 10:02, Chris Boot wrote:
> Firstly:
>
>> Finally, two important configuration options should be considered,
>> that we were unable to silently change defaults for:
>> - smb signing = required
>> - ntlm auth = no
>>
>> Without smb signing = required, Man in the Middle attacks are
>> still possible against our file server and classic/NT4-like/Samba3
>> Domain controller. (It is now enforced on our AD DC.)
>
> There is no parameter named "smb signing" in smb.conf, and Samba rightly
> complains:
>
>> [2016/04/14 09:43:53, 0] ../lib/param/loadparm.c:743(lpcfg_map_parameter)
>> Unknown parameter encountered: "smb signing"
>> [2016/04/14 09:43:53, 0] ../lib/param/loadparm.c:1626(lpcfg_do_global_parameter)
>> Ignoring unknown parameter "smb signing"
>
> I suspect you meant one/several of "client ipc signing", "client
> signing" and/or "server signing" instead. Can you please clarify?
Someone has pointed out to me by private mail that this has been fixed
in an updated NEWS entry, and there is a bug open about it:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820983
https://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?h=stable-update&id=cbcad2a543a28926ee712cf299dbdc03da351cb0
Please can we make sure that this makes it into the inevitable deb8u3
update?
I'm filing a bug about the AD DC winbind issue now.
Cheers,
Chris
--
Chris Boot
Tiger Computing Ltd
ISO27001:2013 Certified
Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk
Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
Wyastone Leys, Monmouth, NP25 3SR
Reply to: