Bug 41034 - Set "ntlm auth = no" in smb.conf (Samba/AD)
Set "ntlm auth = no" in smb.conf (Samba/AD)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-1-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-12 11:13 CEST by Arvid Requate
Modified: 2016-09-21 18:10 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-04-12 11:13:12 CEST
+++ This bug was initially created as a clone of Bug #41033 +++

Without 'ntlm auth = no', there may still be clients not using NTLMv2. The elder original protocol version sends the password hashes across the wire, which may be observed and brute-forced easily. As far as I currently know Samba/AD DCs running 4.3.7 will default to this setting, but for member/file-servers it would be good to adjust the default too.
Comment 1 Arvid Requate univentionstaff 2016-04-12 11:15:11 CEST
We should also consider setting "smb signing = required", which also appears to be default for Samba 4.3.7 AD DCs.
Comment 2 Arvid Requate univentionstaff 2016-04-12 16:32:33 CEST
It's "server signing = mandatory" instead of "smb signing = required".
Comment 3 Arvid Requate univentionstaff 2016-04-13 14:20:43 CEST
Advisory: univention-samba4.yaml
Comment 4 Felix Botner univentionstaff 2016-04-14 14:48:51 CEST
FAIL - new ucr vars descriptions

/var/univention/buildsystem2/logs/ucs_4.1-0-0-errata4.1-1/univention-samba4_5.0.1-32.664.201604131409.log.bz2:
make[1]: Entering directory `/var/build/temp/tmp.GeeqAE1W3b/univention-samba4-5.0.1'
univention-install-config-registry
Incomplete entries in variable definition univention-samba4.univention-config-registry-variables
  samba/ntlm/auth:
    categories

univention-samba4.univention-config-registry-variables is not up-to-date.


OK - no changes in default settings
OK - new ucr vars
Comment 5 Arvid Requate univentionstaff 2016-04-14 17:13:35 CEST
Fixed, rebuilt, advisory updated.
Comment 6 Felix Botner univentionstaff 2016-04-15 10:09:39 CEST
(In reply to Arvid Requate from comment #5)
> Fixed, rebuilt, advisory updated.

OK - ucr desc
OK - YAML
Comment 7 Philipp Hahn univentionstaff 2016-04-15 14:49:40 CEST
<http://errata.software-univention.de/ucs/4.1/153.html>