Bug 7848 - Change Samba 3.6 and 4 security defaults (spnego hint)
Summary: Change Samba 3.6 and 4 security defaults (spnego hint)
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P3 enhancement
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL: http://lists.samba.org/archive/samba-...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-06 19:45 UTC by Neil Goldberg
Modified: 2010-12-07 00:08 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Neil Goldberg 2010-12-06 19:45:49 UTC 
The following bugzilla entry documents a patch I submitted to the samba technical list, which Andrew took and made better. 
Quoting Andrew from the thread, as he summarized better than myself:
"I would like to improve Samba's security and conformance to match
Windows 2008, by:
 - removing the server-sent SPNEGO principal from the server-side
reply, 
 - not honouring it in the client 
 - using NTLMv2 by default in our client.

This should match the behaviour of Windows 2008 and Vista for avoiding
man-in-the-middle attacks relying on swapping of the target principal,
and in NTLMv2 change it slowly moves us on from the very poor
cryptography of the NTLM era.

This will change behaviour - some broken configurations were windows
does not use Kerberos will now also fall back to NTLMSSP, but as Neil
reported in his original mail, it will also fix real world
inconsistencies.  

In terms of unexpected interoperability issues, all these code paths
should already have been explored with Windows 2008 and Vista clients
and servers.  Likewise, all these options can be turned back on with
smb.conf and command line options (see the --option option) if required
on a particular connection. 
"

Patches are available as attachments to the linked URL.