[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Call for testing: upcoming samba security update



On 14/04/16 10:02, Chris Boot wrote:
> Firstly:
> 
>>     Finally, two important configuration options should be considered,
>>     that we were unable to silently change defaults for:
>>     - smb signing = required
>>     - ntlm auth = no
>>
>>     Without smb signing = required, Man in the Middle attacks are
>>     still possible against our file server and classic/NT4-like/Samba3
>>     Domain controller.  (It is now enforced on our AD DC.)
> 
> There is no parameter named "smb signing" in smb.conf, and Samba rightly
> complains:
> 
>> [2016/04/14 09:43:53,  0] ../lib/param/loadparm.c:743(lpcfg_map_parameter)
>>   Unknown parameter encountered: "smb signing"
>> [2016/04/14 09:43:53,  0] ../lib/param/loadparm.c:1626(lpcfg_do_global_parameter)
>>   Ignoring unknown parameter "smb signing"
> 
> I suspect you meant one/several of "client ipc signing", "client
> signing" and/or "server signing" instead. Can you please clarify?

Someone has pointed out to me by private mail that this has been fixed
in an updated NEWS entry, and there is a bug open about it:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820983

https://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?h=stable-update&id=cbcad2a543a28926ee712cf299dbdc03da351cb0

Please can we make sure that this makes it into the inevitable deb8u3
update?

I'm filing a bug about the AD DC winbind issue now.

Cheers,
Chris

-- 
Chris Boot

Tiger Computing Ltd
ISO27001:2013 Certified

Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk

Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
 Wyastone Leys, Monmouth, NP25 3SR


Reply to: