[Pkg-samba-maint] [samba] 08/11: NEWS for big security patch
Andrew Bartlett
abartlet-guest at moszumanska.debian.org
Tue Apr 12 22:38:00 UTC 2016
This is an automated email from the git hooks/post-receive script.
abartlet-guest pushed a commit to branch master
in repository samba.
commit 105e5fdf8ad2ebab1cde44df09c0e8a4f820ca5d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 12 17:01:35 2016 +1200
NEWS for big security patch
---
debian/NEWS | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 85 insertions(+)
diff --git a/debian/NEWS b/debian/NEWS
index 8a0e17a..96b4ff0 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,88 @@
+samba (2:4.3.7+dfsg-1) unstable; urgency=high
+
+ This Samba security addresses both Denial of Service and Man in
+ the Middle vulnerabilities.
+
+ Both of these changes implement new smb.conf options and a number
+ of stricter behaviours to prevent Man in the Middle attacks on our
+ network services, as a client and as a server.
+
+ Between these changes, compatibility with a large number of older
+ software versions has been lost in the default configuration.
+
+ See the release notes in WHATNEW.txt for more information.
+
+
+ Here are some additional hints how to work around the new stricter default behaviors:
+
+ * As an AD DC server, only Windows 2000 and Samba 3.6 and above as
+ a domain member are supported out of the box. Other smb file
+ servers as domain members are also fine out of the box.
+
+ * As an AD DC server, with default setting of "ldap server require
+ strong auth", LDAP clients connecting over ldaps:// or START_TLS
+ will be allowed to perform simple LDAP bind only.
+
+ The preferred configuration for LDAP clients is to use SASL
+ GSSAPI directly over ldap:// without using ldaps:// or
+ START_TLS.
+
+ To use LDAP with START_TLS and SASL GSSAPI (either Kerberos or
+ NTLMSSP) sign/seal protection must be used by the client and
+ server should be configured with "ldap server require strong
+ auth = allow_sasl_over_tls".
+
+ Consult OpenLDAP documentation how to set sign/seal protection
+ in ldap.conf.
+
+ For SSSD client configured with "id_provider = ad" or
+ "id_provider = ldap" with "auth_provider = krb5", see
+ sssd-ldap(5) manual for details on TLS session handling.
+
+ * As a File Server, compatibility with the Linux Kernel cifs
+ client depends on which configuration options are selected, please
+ use "sec=krb5(i)" or "sec=ntlmssp(i)", not "sec=ntlmv2".
+
+ * As a file or printer client and as a domain member, out of the
+ box compatibility with Samba less than 4.0 and other SMB/CIFS
+ servers, depends on support for SMB signing or SMB2 on the
+ server, which is often disabled or absent. You may need to
+ adjust the "client ipc signing" to "no" in these cases.
+
+ * In case of an upgrade from versions before 4.2.0, you might run
+ into problems as a domain member. The out of the box compatibility
+ with Samba 3.x domain controllers requires NETLOGON features only
+ available in Samba 3.2 and above.
+
+ However, all of these can be worked around by setting smb.conf
+ options in Samba, see WHATSNEW.txt the 4.2.0 release notes at
+ https://www.samba.org/samba/history/samba-4.2.0.html and the Samba
+ wiki for details, workarounds and suggested security-improving
+ changes to these and other software packages.
+
+
+ Suggested further improvements after patching:
+
+ It is recommended that administrators set these additional options,
+ if compatible with their network environment:
+
+ server signing = mandatory
+ ntlm auth = no
+
+ Without "server signing = mandatory", Man in the Middle attacks
+ are still possible against our file server and
+ classic/NT4-like/Samba3 Domain controller. (It is now enforced on
+ Samba's AD DC.) Note that this has heavy impact on the file server
+ performance, so you need to decide between performance and
+ security. These Man in the Middle attacks for smb file servers are
+ well known for decades.
+
+ Without "ntlm auth = no", there may still be clients not using
+ NTLMv2, and these observed passwords may be brute-forced easily using
+ cloud-computing resources or rainbow tables.
+
+ -- Andrew Bartlett <abartlet+debian at catalyst.net.nz> Tue, 12 Apr 2016 16:18:57 +1200
+
samba (2:4.0.10+dfsg-3) unstable; urgency=low
The SWAT package is no longer available.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list