Univention Bugzilla – Bug 41034
Set "ntlm auth = no" in smb.conf (Samba/AD)
Last modified: 2016-09-21 18:10:15 CEST
+++ This bug was initially created as a clone of Bug #41033 +++ Without 'ntlm auth = no', there may still be clients not using NTLMv2. The elder original protocol version sends the password hashes across the wire, which may be observed and brute-forced easily. As far as I currently know Samba/AD DCs running 4.3.7 will default to this setting, but for member/file-servers it would be good to adjust the default too.
We should also consider setting "smb signing = required", which also appears to be default for Samba 4.3.7 AD DCs.
It's "server signing = mandatory" instead of "smb signing = required".
Advisory: univention-samba4.yaml
FAIL - new ucr vars descriptions /var/univention/buildsystem2/logs/ucs_4.1-0-0-errata4.1-1/univention-samba4_5.0.1-32.664.201604131409.log.bz2: make[1]: Entering directory `/var/build/temp/tmp.GeeqAE1W3b/univention-samba4-5.0.1' univention-install-config-registry Incomplete entries in variable definition univention-samba4.univention-config-registry-variables samba/ntlm/auth: categories univention-samba4.univention-config-registry-variables is not up-to-date. OK - no changes in default settings OK - new ucr vars
Fixed, rebuilt, advisory updated.
(In reply to Arvid Requate from comment #5) > Fixed, rebuilt, advisory updated. OK - ucr desc OK - YAML
<http://errata.software-univention.de/ucs/4.1/153.html>