First Last Prev Next    This bug is not in your last search results.
Bug 47100 - UCS still allows NTLMv1, should switch to Samba default "ntlmv2-only" (4.2)
UCS still allows NTLMv1, should switch to Samba default "ntlmv2-only" (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Arvid Requate
Felix Botner
https://wiki.samba.org/index.php/Samb...
:
Depends on: 46782
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-29 13:33 CEST by Arvid Requate
Modified: 2018-08-14 12:36 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-05-29 13:33:19 CEST 
+++ This bug was initially created as a clone of Bug #46782 +++

The UCS default of "yes" for the smb.conf parameter "ntlm auth" means that NTLMv1 is enabled by default. This is more explicit in the new naming introduced by Samba 4.7.0. Quoting man smb.conf:

========================================================================
The available settings are:
·   ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients.

·   ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2.

·   mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).

·   disabled - Do not accept NTLM (or LanMan) authentication of any level, nor permit NTLM password changes.

The default changed from yes to no with Samba 4.5. The default chagned again to ntlmv2-only with Samba 4.7, however the behaviour is unchanged.
========================================================================

I think we should adjust UCS the use the Samba default "ntlmv2-only". We just didn't want to change this in 4.1-4, but the UCS default can be considered a security issue.


+++ This bug was initially created as a clone of Bug #42847 +++

See Bug #42624. Samba 4.5 changes the default from 'ntlm auth' from yes to no. We shouldn't change the default with UCS 4.1-4.
Comment 1 Arvid Requate univentionstaff 2018-05-29 13:37:56 CEST 

*** This bug has been marked as a duplicate of bug 41033 ***
Comment 2 Arvid Requate univentionstaff 2018-08-10 19:41:23 CEST 
Actually this Bug is not a duplicate of Bug #41033, because this one is about Samba/AD and the other one is about Samba/NT.

ec91b67435 | Adjust default for samba/ntlm/auth ("ntlm auth") to match samba
             ("no", i.e. ntlmv2-only)

f2acc8ec49 | Advisory
Comment 3 Arvid Requate univentionstaff 2018-08-10 19:56:09 CEST 
Also needed fixing in univention-samba:

8c95d9ee02 | Similar patch for univention-samba
f645036405 | Advisories
Comment 4 Felix Botner univentionstaff 2018-08-13 18:21:58 CEST 
OK - univention-samba4 and yaml
OK - univention-samba and yaml
First Last Prev Next    This bug is not in your last search results.