[Pkg-samba-maint] r1600 - in trunk/samba/debian: . patches

vorlon at alioth.debian.org vorlon at alioth.debian.org
Sat Nov 24 09:45:25 UTC 2007


Author: vorlon
Date: 2007-11-24 09:45:25 +0000 (Sat, 24 Nov 2007)
New Revision: 1600

Added:
   trunk/samba/debian/patches/disable-weak-auth.patch
Modified:
   trunk/samba/debian/NEWS
   trunk/samba/debian/changelog
   trunk/samba/debian/patches/series
Log:
disable plaintext authentication on the client, and lanman authentication on
both client and server, by default since these are only needed for Win9x or
Samba with encrypted passwords disabled and are potential password attack
vectors.  This change is backported from Samba 3.2.  LP: #163194.



Modified: trunk/samba/debian/NEWS
===================================================================
--- trunk/samba/debian/NEWS	2007-11-24 07:57:47 UTC (rev 1599)
+++ trunk/samba/debian/NEWS	2007-11-24 09:45:25 UTC (rev 1600)
@@ -1,3 +1,31 @@
+samba (3.0.27a-2) unstable; urgency=low
+
+  * Weak authentication methods are disabled by default
+
+    Beginning with this version, plaintext authentication is disabled for
+    clients and lanman authentication is disabled for both clients and
+    servers.  Lanman authentication is not needed for Windows
+    NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
+    95/98/ME clients (or servers) you may need to set lanman auth (or client
+    lanman auth) to yes in your smb.conf.
+
+    The "lanman auth = no" setting will also cause lanman password hashes to
+    be deleted from smbpasswd and prevent new ones from being written, so
+    that these can't be subjected to brute-force password attacks.  This
+    means that re-enabling lanman auth after it has been disabled is more
+    difficult; it is therefore advisable that you re-enable the option as
+    soon as possible if you think you will need to support Win9x clients.
+
+    Client support for plaintext passwords is not needed for recent Windows
+    servers, and in fact this behavior change makes the Samba client behave
+    in a manner consistent with all Windows clients later than Windows 98.
+    However, if you need to connect to a Samba server that does not have
+    encrypted password support enabled, or to another server that does not
+    support NTLM authentication, you will need to set
+    "client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
+
+ -- Steve Langasek <vorlon at debian.org>  Sat, 24 Nov 2007 00:23:37 -0800
+
 samba (3.0.26a-2) unstable; urgency=low
 
   * Default printing system has changed from BSD to CUPS

Modified: trunk/samba/debian/changelog
===================================================================
--- trunk/samba/debian/changelog	2007-11-24 07:57:47 UTC (rev 1599)
+++ trunk/samba/debian/changelog	2007-11-24 09:45:25 UTC (rev 1600)
@@ -1,3 +1,13 @@
+samba (3.0.27a-2) UNRELEASED; urgency=low
+
+  * debian/patches/disable-weak-auth.patch: disable plaintext authentication
+    on the client, and lanman authentication on both client and server, by
+    default since these are only needed for Win9x or Samba with encrypted
+    passwords disabled and are potential password attack vectors.  This
+    change is backported from Samba 3.2.  LP: #163194.
+
+ -- Steve Langasek <vorlon at debian.org>  Fri, 23 Nov 2007 23:57:57 -0800
+
 samba (3.0.27a-1) unstable; urgency=low
 
   [ Steve Langasek ]

Added: trunk/samba/debian/patches/disable-weak-auth.patch
===================================================================
--- trunk/samba/debian/patches/disable-weak-auth.patch	                        (rev 0)
+++ trunk/samba/debian/patches/disable-weak-auth.patch	2007-11-24 09:45:25 UTC (rev 1600)
@@ -0,0 +1,88 @@
+Goal: disable weak authentication methods, both on the client and
+server, so that we aren't sending passwords in plaintext across the wire
+and also aren't storing weak password hashes on the server
+
+Fixes: LP #163194
+
+Upstream status: pulled from upstream 3.2 git tree, will be superseded
+with first release of 3.2
+
+Index: samba-3.0.27a/source/param/loadparm.c
+===================================================================
+--- samba-3.0.27a.orig/source/param/loadparm.c
++++ samba-3.0.27a/source/param/loadparm.c
+@@ -1562,9 +1562,9 @@
+ 	Globals.bStatCache = True;	/* use stat cache by default */
+ 	Globals.iMaxStatCacheSize = 1024; /* one Meg by default. */
+ 	Globals.restrict_anonymous = 0;
+-	Globals.bClientLanManAuth = True;	/* Do use the LanMan hash if it is available */
+-	Globals.bClientPlaintextAuth = True;	/* Do use a plaintext password if is requested by the server */
+-	Globals.bLanmanAuth = True;	/* Do use the LanMan hash if it is available */
++	Globals.bClientLanManAuth = False;	/* Do NOT use the LanMan hash if it is available */
++	Globals.bClientPlaintextAuth = False;	/* Do NOT use a plaintext password even if is requested by the server */
++	Globals.bLanmanAuth = False;	/* Do NOT use the LanMan hash, even if it is supplied */
+ 	Globals.bNTLMAuth = True;	/* Do use NTLMv1 if it is available (otherwise NTLMv2) */
+ 	Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as we can't tell that the server supports it. */
+ 	/* Note, that we will use NTLM2 session security (which is different), if it is available */
+Index: samba-3.0.27a/docs/htmldocs/manpages/smb.conf.5.html
+===================================================================
+--- samba-3.0.27a.orig/docs/htmldocs/manpages/smb.conf.5.html
++++ samba-3.0.27a/docs/htmldocs/manpages/smb.conf.5.html
+@@ -780,7 +780,7 @@
+     without Windows 95/98 servers are advised to disable
+     this option.  </p><p>Disabling this option will also disable the <code class="literal">client plaintext auth</code> option</p><p>Likewise, if the <code class="literal">client ntlmv2
+     auth</code> parameter is enabled, then only NTLMv2 logins will be
+-    attempted.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client lanman auth</code></em> = <code class="literal">yes</code>
++    attempted.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client lanman auth</code></em> = <code class="literal">no</code>
+ </em></span>
+ </p></dd><dt><span class="term"><a name="CLIENTNTLMV2AUTH"></a>client ntlmv2 auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> will attempt to
+     authenticate itself to servers using the NTLMv2 encrypted password
+@@ -795,7 +795,7 @@
+ 	responses, and not the weaker LM or NTLM.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client ntlmv2 auth</code></em> = <code class="literal">no</code>
+ </em></span>
+ </p></dd><dt><span class="term"><a name="CLIENTPLAINTEXTAUTH"></a>client plaintext auth (G)</span></dt><dd><p>Specifies whether a client should send a plaintext 
+-		password if the server does not support encrypted passwords.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client plaintext auth</code></em> = <code class="literal">yes</code>
++		password if the server does not support encrypted passwords.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client plaintext auth</code></em> = <code class="literal">no</code>
+ </em></span>
+ </p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p>
+     This controls whether the client offers or even demands the use of the netlogon schannel.
+@@ -2007,7 +2007,7 @@
+     auth</code> to disable this for Samba's clients (such as smbclient)</p><p>If this option, and <code class="literal">ntlm
+     auth</code> are both disabled, then only NTLMv2 logins will be
+     permited.  Not all clients support NTLMv2, and most will require
+-    special configuration to use it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lanman auth</code></em> = <code class="literal">yes</code>
++    special configuration to use it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lanman auth</code></em> = <code class="literal">no</code>
+ </em></span>
+ </p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not
+     <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> supports the new 64k
+Index: samba-3.0.27a/docs/manpages/smb.conf.5
+===================================================================
+--- samba-3.0.27a.orig/docs/manpages/smb.conf.5
++++ samba-3.0.27a/docs/manpages/smb.conf.5
+@@ -1272,7 +1272,7 @@
+ parameter is enabled, then only NTLMv2 logins will be attempted.
+ .sp
+ Default:
+-\fB\fIclient lanman auth\fR = yes \fR
++\fB\fIclient lanman auth\fR = no \fR
+ .RE
+ .PP
+ client ntlmv2 auth (G)
+@@ -1303,7 +1303,7 @@
+ Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.
+ .sp
+ Default:
+-\fB\fIclient plaintext auth\fR = yes \fR
++\fB\fIclient plaintext auth\fR = no \fR
+ .RE
+ .PP
+ client schannel (G)
+@@ -3082,7 +3082,7 @@
+ are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to use it.
+ .sp
+ Default:
+-\fB\fIlanman auth\fR = yes \fR
++\fB\fIlanman auth\fR = no \fR
+ .RE
+ .PP
+ large readwrite (G)

Modified: trunk/samba/debian/patches/series
===================================================================
--- trunk/samba/debian/patches/series	2007-11-24 07:57:47 UTC (rev 1599)
+++ trunk/samba/debian/patches/series	2007-11-24 09:45:25 UTC (rev 1600)
@@ -24,3 +24,4 @@
 usershare.patch
 chgpasswd.patch
 cups.patch
+disable-weak-auth.patch




More information about the Pkg-samba-maint mailing list