Bug 47100

Summary:	UCS still allows NTLMv1, should switch to Samba default "ntlmv2-only" (4.2)
Product:	UCS	Reporter:	Arvid Requate <requate>
Component:	Samba4	Assignee:	Arvid Requate <requate>
Status:	CLOSED FIXED	QA Contact:	Felix Botner <botner>
Severity:	normal
Priority:	P3	CC:	gohmann, grandjean
Version:	UCS 4.2
Target Milestone:	UCS 4.2-4-errata
Hardware:	Other
OS:	Linux
URL:	https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed#Parameter_changes
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:
Bug Depends on:	46782
Bug Blocks:

Description Arvid Requate

2018-05-29 13:33:19 CEST

+++ This bug was initially created as a clone of Bug #46782 +++

The UCS default of "yes" for the smb.conf parameter "ntlm auth" means that NTLMv1 is enabled by default. This is more explicit in the new naming introduced by Samba 4.7.0. Quoting man smb.conf:

========================================================================
The available settings are:
·   ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients.

·   ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2.

·   mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).

·   disabled - Do not accept NTLM (or LanMan) authentication of any level, nor permit NTLM password changes.

The default changed from yes to no with Samba 4.5. The default chagned again to ntlmv2-only with Samba 4.7, however the behaviour is unchanged.
========================================================================

I think we should adjust UCS the use the Samba default "ntlmv2-only". We just didn't want to change this in 4.1-4, but the UCS default can be considered a security issue.


+++ This bug was initially created as a clone of Bug #42847 +++

See Bug #42624. Samba 4.5 changes the default from 'ntlm auth' from yes to no. We shouldn't change the default with UCS 4.1-4.

Comment 1 Arvid Requate

2018-05-29 13:37:56 CEST


*** This bug has been marked as a duplicate of bug 41033 ***

Comment 2 Arvid Requate

2018-08-10 19:41:23 CEST

Actually this Bug is not a duplicate of Bug #41033, because this one is about Samba/AD and the other one is about Samba/NT.

ec91b67435 | Adjust default for samba/ntlm/auth ("ntlm auth") to match samba
             ("no", i.e. ntlmv2-only)

f2acc8ec49 | Advisory

Comment 3 Arvid Requate

2018-08-10 19:56:09 CEST

Also needed fixing in univention-samba:

8c95d9ee02 | Similar patch for univention-samba
f645036405 | Advisories

Comment 4 Felix Botner

2018-08-13 18:21:58 CEST

OK - univention-samba4 and yaml
OK - univention-samba and yaml

Comment 5 Arvid Requate

2018-08-14 12:36:46 CEST

<http://errata.software-univention.de/ucs/4.2/433.html>
<http://errata.software-univention.de/ucs/4.2/434.html>