We should not allow a downgrade to non-kerberos authentication if we require kerberos.
Created attachment 16890 [details] Patches for master
Created attachment 16891 [details] Patches for v4-15-test
Created attachment 16892 [details] Patches for v4-14-test
Created attachment 16893 [details] Patches for v4-13-test
Created attachment 16898 [details] CVE-2016-2124-description-metze02.txt
This is ready for the November 9th release.
G'Day Vendors, This bug will also be part of the security release for Nov 9 2021. But the patches on this bug are on their own independent from the large combined patch on bug #14834. This bug is only relevant for all active directory related setups as domain controller, as domain member, as well as client utilities.
Comment on attachment 16898 [details] CVE-2016-2124-description-metze02.txt Couple of changs: 1). "The attacker is able to get the plaintext password send over the wire even if Kerberos authentication was required." should read: "The attacker is able to get the plaintext password sent over the wire even if Kerberos authentication was required." (notice "send" -> "sent"). 2). In the "Workaround" section, change: "Should have the following options at their default values:" to: "Ensure the following [global] smb.conf parameters are set to their default values as shown below:" Otherwise, LGTM ! Thanks !
Created attachment 16902 [details] CVE-2016-2124-description-metze03.txt
Comment on attachment 16902 [details] CVE-2016-2124-description-metze03.txt LGTM. Thanks Metze !
Created attachment 16935 [details] backport for 4.7 through to 4.11
Created attachment 16937 [details] backport for 4.6
Created attachment 16938 [details] backport for 4.4
Created attachment 16939 [details] backport for 3.6
be great if someone could cast a knowing eye particularly over the 3.6 and 4.4 patches
Noel, if you scroll up, you can see my last backport to Samba 3.6. After this Metze told me that this will probably need more work. Not sure it can be fixed for 3.6. Also fee23c33ae279e96d0a70e2f313d20d7fae106ff is fixing one part of the problem. Make sure you backport this to 4.4 too.
(In reply to Andreas Schneider from comment #33) >Noel, if you scroll up, you can see my last backport to Samba 3.6. After this Metze told me that this will probably need more work. Not sure it can be fixed for 3.6. oh, I didn't realise that there were earlier patches, I've obsoleted the 3.6 & 4.4 ones. If we were to patch 3.6 the final 2 patches from Metz in that patch in the attachment you point to still look relevant still right ? (and better than nothing) <Also fee23c33ae279e96d0a70e2f313d20d7fae106ff is fixing one part of the problem. Make sure you backport this to 4.4 too. Andreas/Metz I see there is a old patch also for 4.4, were there issue still with that
Comment on attachment 16937 [details] backport for 4.6 Andreas could you have a look at this
The release will happen around 18:00 UTC November 9th.
Created attachment 16972 [details] backport for 4.12 This patch applies on top of the v4.12 patch found at https://bugzilla.samba.org/show_bug.cgi?id=14725.
A question: About 'client min protocol = SMB2_02', is samba still able to join windows 2003 ad server with this workaround setup in smb.conf? because windows 2003 ad server does not yet support SMB2. > ========== > Workaround > ========== > > Ensure the following [global] smb.conf parameters are set > to their default values as shown below: > > client lanman auth = no > client NTLMv2 auth = yes > client plaintext auth = no > client min protocol = SMB2_02 >
Created attachment 16976 [details] backport for 4.10 This patch applies on top of the v4.10 patch found at https://bugzilla.samba.org/show_bug.cgi?id=14725.
Created attachment 16981 [details] backport for 3.6
This bug was referenced in samba v4-15-stable (Release samba-4.15.2): ecfa1fb325460e99885d320ff4501cf685585743 670abaacb5217720bf60f5cc78c9ab0f6ee21512
This bug was referenced in samba v4-14-stable (Release samba-4.14.10): d1cf8259c52bdef83ed8db19ea0698341ae94468 279f057f23ddff2a3d43eacccb041d55a3208544
This bug was referenced in samba v4-13-stable (Release samba-4.13.14): 4290223ed40183e5f01c25da00df438b9ccf302a 721e40dd379a85e153c31b294d1054eeb3718aa0
This bug was referenced in samba v4-14-test: d1cf8259c52bdef83ed8db19ea0698341ae94468 279f057f23ddff2a3d43eacccb041d55a3208544
The releases are made, removing [EMBARGOED] tag. The vendor-only restriction will be removed soon once the dust settles.
This bug was referenced in samba v4-13-test: 4290223ed40183e5f01c25da00df438b9ccf302a 721e40dd379a85e153c31b294d1054eeb3718aa0
This bug was referenced in samba v4-15-test: ecfa1fb325460e99885d320ff4501cf685585743 670abaacb5217720bf60f5cc78c9ab0f6ee21512
This bug was referenced in samba master: 93dad333a22a3b46217072333491b87621db01f5 c17f4256e53229bd100f7bdcbc77620a64446326
The patches addressing this issue have been pushed to master and security releases made.
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public. These are the "other issues" part of the big release we just made, the remainder are private for a little longer. If you wish to continue to be informed about any changes here please CC individually.