The Samba-Bugzilla – Attachment 15986 Details for
Bug 14385
Make spoofing of the workstaiton name more difficult to improve userWorkstations attribute access verification
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to add config options to make things configurable
ntlmssp_server.c.patch_draft_specialip_and_reversedns_smbdotconf (text/plain), 7.29 KB, created by
Sysadmin HTL-Leonding
on 2020-05-16 22:09:29 UTC
(
hide
)
Description:
Patch to add config options to make things configurable
Filename:
MIME Type:
Creator:
Sysadmin HTL-Leonding
Created:
2020-05-16 22:09:29 UTC
Size:
7.29 KB
patch
obsolete
>diff -r -N -u orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationnameipencoding.xml samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationnameipencoding.xml >--- orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationnameipencoding.xml 1970-01-01 00:00:00.000000000 +0000 >+++ samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationnameipencoding.xml 2020-05-14 17:45:18.641060200 +0000 >@@ -0,0 +1,29 @@ >+<samba:parameter name="workstation name ip encoding" >+ context="G" >+ type="boolean" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para>If this parameter is <constant>yes</constant>, then you >+ can encode the IPv4 address of the workstation as its name >+ and have Samba to verify whether it matches. >+ >+ This could be useful in combination with userWorkstation >+ attributes when you are sure that specific IPs can be only >+ used by specific physical computers. >+ >+ Out of compatibility reasons this is not possible for IPv6 >+ addresses, thus it is only useful when you only allow IPv4 >+ connections. >+ >+ Example: >+ The workstation with the address 10.20.30.200 would have the >+ workstation name 10_20_30_200. >+ >+ A connection from 10.20.30.201 claiming to be 10_20_30_200 >+ would be refused while connections from 10.20.30.200 are allowed. >+ The underscores have been used to be not confused with DNS names. >+ </para> >+</description> >+ >+<value type="default">no</value> >+</samba:parameter> >diff -r -N -u orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationnameipencodingsuffix.xml samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationnameipencodingsuffix.xml >--- orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationnameipencodingsuffix.xml 1970-01-01 00:00:00.000000000 +0000 >+++ samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationnameipencodingsuffix.xml 2020-05-16 13:48:33.027451300 +0000 >@@ -0,0 +1,21 @@ >+<samba:parameter name="workstation name ip encoding suffix" >+ context="G" >+ type="cmdlist" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ This is a list of strings being allowed to be appended to the workstation >+ name to allow the coexistence of different OSes with slightly different >+ workstation names on the same IP (i.e. for dual boot situations). >+ </para> >+ >+ <para> >+ If this is empty (the default) then only the encoded IPv4 address is >+ allowed as the workstation name. >+ </para> >+ >+</description> >+ >+<value type="default"><comment>Empty, no suffix is allowed </comment></value> >+<value type="example">L,M (i.e. 10_20_30_40L and 10_20_30_40M would be allowed additionally to 10_20_30_40</value> >+</samba:parameter> >diff -r -N -u orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationnamesuffixrestrictedusers.xml samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationnamesuffixrestrictedusers.xml >--- orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationnamesuffixrestrictedusers.xml 1970-01-01 00:00:00.000000000 +0000 >+++ samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationnamesuffixrestrictedusers.xml 2020-05-16 19:05:13.979451300 +0000 >@@ -0,0 +1,24 @@ >+<samba:parameter name="workstation name suffix restricted users" >+ context="G" >+ type="cmdlist" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ This is a list of allowed suffixes appended to the reverse lookup >+ name of the workstation. >+ </para> >+ >+ <para> >+ If this is empty (the default) then no suffixes are allowed. >+ This parameter is to allow i.e. linux workstations to have a configurable >+ suffix to the reverse lookup workstation name to allow dual boot >+ configurations and working around the limitation of only one >+ reverse lookup name. >+ </para> >+ >+</description> >+ >+<value type="default"><comment>No suffix is allowed >+</comment></value> >+<value type="example">linux,mac,win</value> >+</samba:parameter> >diff -r -N -u orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationrestrictedusers.xml samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationrestrictedusers.xml >--- orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationrestrictedusers.xml 1970-01-01 00:00:00.000000000 +0000 >+++ samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationrestrictedusers.xml 2020-05-14 17:31:13.381060200 +0000 >@@ -0,0 +1,31 @@ >+<samba:parameter name="workstation restricted users" >+ context="G" >+ type="cmdlist" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ This is a list of users for which additional verifications on the claimed >+ identity of the connecting workstation must be applied. Names starting >+ with '@', '+' and '&' are interpreted using the same rules as described >+ in the <parameter moreinfo="none">invalid users</parameter> parameter. >+ </para> >+ >+ <para> >+ If this is empty (the default) then no extra checks on the claimed identity >+ of the connecting workstation are made. It would be better if this could/ >+ would be dynamically created at runtime, but for now you have to configure >+ it yourself (patches are welcome ;-) ). >+ </para> >+ >+ <para><emphasis>Note: </emphasis> >+ This parameter will prevent your BYOD from connecting with workstation >+ restricted users unless you configure reverse lookups for them. >+ </para> >+ >+</description> >+ >+<value type="default"><comment>No workstation restricted users (no extra >+check on the claimed identity of the connecting workstation is applied) >+</comment></value> >+<value type="example">cio, @financial, @examusergroup</value> >+</samba:parameter> >diff -r -N -u orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationrestrictedusersprefix.xml samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationrestrictedusersprefix.xml >--- orig/samba-4.11.6/docs-xml/smbdotconf/security/workstationrestrictedusersprefix.xml 1970-01-01 00:00:00.000000000 +0000 >+++ samba-4.11.6+dfsg/docs-xml/smbdotconf/security/workstationrestrictedusersprefix.xml 2020-05-16 14:01:02.519451300 +0000 >@@ -0,0 +1,29 @@ >+<samba:parameter name="workstation restricted users prefix" >+ context="G" >+ type="cmdlist" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para> >+ This is a list of username prefixes for which additional verifications on the >+ claimed identity of the connecting workstation must be applied. >+ </para> >+ >+ <para> >+ If this is empty (the default) then no extra checks on the claimed identity >+ of the connecting workstation are made. It would be better if this could/ >+ would be dynamically created at runtime, but for now you have to configure >+ it yourself (patches are welcome ;-) ). >+ </para> >+ >+ <para><emphasis>Note: </emphasis> >+ This parameter will prevent your BYOD from connecting with workstation >+ restricted users unless you configure reverse lookups for them. >+ </para> >+ >+</description> >+ >+<value type="default"><comment>No workstation restricted users (no extra >+check on the claimed identity of the connecting workstation is applied) >+</comment></value> >+<value type="example">exam</value> >+</samba:parameter>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15986">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14385
:
15985
| 15986