Bug 46782

Summary: UCS still allows NTLMv1, should switch to Samba default "ntlmv2-only"
Product: UCS Reporter: Arvid Requate <requate>
Component: Samba4Assignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P3 CC: best, gohmann, grandjean
Version: UCS 4.3   
Target Milestone: UCS 4.3-1-errata   
Hardware: Other   
OS: Linux   
URL: https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed#Parameter_changes
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 42847    
Bug Blocks: 47100    

Description Arvid Requate univentionstaff 2018-04-05 13:42:19 CEST 
The UCS default of "yes" for the smb.conf parameter "ntlm auth" means that NTLMv1 is enabled by default. This is more explicit in the new naming introduced by Samba 4.7.0. Quoting man smb.conf:

========================================================================
The available settings are:
·   ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients.

·   ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2.

·   mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).

·   disabled - Do not accept NTLM (or LanMan) authentication of any level, nor permit NTLM password changes.

The default changed from yes to no with Samba 4.5. The default chagned again to ntlmv2-only with Samba 4.7, however the behaviour is unchanged.
========================================================================

I think we should adjust UCS the use the Samba default "ntlmv2-only". We just didn't want to change this in 4.1-4, but the UCS default can be considered a security issue.


+++ This bug was initially created as a clone of Bug #42847 +++

See Bug #42624. Samba 4.5 changes the default from 'ntlm auth' from yes to no. We shouldn't change the default with UCS 4.1-4.
Comment 1 Arvid Requate univentionstaff 2018-08-07 21:18:08 CEST 
a2579401a4 | Adjust default for samba/ntlm/auth ("ntlm auth") to match samba
53f2c1d2a8 | Advisory
Comment 2 Felix Botner univentionstaff 2018-08-08 14:30:40 CEST 
OK - ntlmv2-only is default for ntlm auth
OK - UCR description
OK - yaml
Comment 3 Arvid Requate univentionstaff 2018-08-10 19:50:03 CEST 
Reopen: Also needed fixing in univention-samba:

2e73fefa7e | Similar patch for univention-samba
553b50d887 | Advisory
Comment 4 Felix Botner univentionstaff 2018-08-13 17:18:28 CEST 
OK - univention-samba
OK - yaml