[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] CIFS Null Session Vulnerability Fix in Samba 3.5.10
From: Shashi Kanth Boddula via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2018-04-25 17:54:07
Message-ID: CAJ7ruv7YoRRdqj=u=gUWdDR8FGrC35AXoCsvPe5AWC7GYQyN_w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Everyone,
I have Samba server 3.5.10 running on RHEL 5.8 platform and it has joined
to our AD domain controller. Recently my Windows guys has done some changes
to AD Security by stating " CIFS Null Session Vulnerability Fix via GPO -
Security Requirement". After this change, my windows clients are not
authenticating with domain credentials while accessing the shares, but
nothing has changed on the Samba side. The "net ads" commands on the Samba
server shows everything seems to be OK, but still Windows clients are not
authenticating. The Windows guys are telling they have to make some AD GPO
changes to avoid NULL or Anonymous connections coming in to the AD DC
Servers.
Can someone please tell me how i can solve this issue. How can i tell Samba
to not to issue NULL/ Anonymous communications to AD DCs. Is this a known
issue or bug with Samba3, is there any solution to it ? Any parameters in
smb.conf which solves it? Please advice.
My smb.conf looks like bellow.
workgroup = EMEA
server string = SambaStorage
password server = EMEA.NET
passdb backend = tdbsam
smb encrypt = disabled
realm = EMEA.NET
security = ADS
interfaces = 192.168.85.124 192.168.85.127 127.0.0.1
# interfaces = bond1:1 bond1:2 bond1 lo
bind interfaces only = no
local master = no
preferred master = no
os level = 33
dns proxy = yes
wins support = no
wide links = yes
unix extensions = no
log file = /var/log/samba/smb3x.log
max log size = 50000
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
SO_SNDBUF=65536 SO_KEEPALIVE
deadtime = 800
load printers = no
printcap name = /dev/null
disable spoolss = yes
winbind separator = +
winbind use default domain = true
winbind offline logon = false
username map = /etc/samba/smbusers.map
debug level = 1
smb ports = 139 445
netbios name = MYSAMBAX09
client use spnego = yes
#domain master = no
map to guest = bad uid
hide dot files = no
invalid users = netrun
--
Thanks & Regards,
Shashi Kanth
9886455567
[Attachment #5 (text/html)]
<div dir="ltr">Hi Everyone,<div><br></div><div>I have Samba server 3.5.10 running on \
RHEL 5.8 platform and it has joined to our AD domain controller. Recently my Windows \
guys has done some changes to AD Security by stating "
<span lang="EN-GB" style="font-size:11pt;font-family:"Times New \
Roman",serif">CIFS Null Session Vulnerability Fix via GPO - Security \
Requirement". After this change, my windows clients are not authenticating \
with domain credentials while accessing the shares, but nothing has changed on the \
Samba side. The "net ads" commands on the Samba server shows everything \
seems to be OK, but still Windows clients are not authenticating. The Windows guys \
are telling they have to make some AD GPO changes to avoid NULL or Anonymous \
connections coming in to the AD DC Servers.</span></div><div><font face="Times New \
Roman, serif"><span style="font-size:14.6667px"><br></span></font></div><div><font \
face="Times New Roman, serif"><span style="font-size:14.6667px">Can someone please \
tell me how i can solve this issue. How can i tell Samba to not to issue NULL/
<span style="color:rgb(34,34,34);font-family:"Times New \
Roman",serif;font-size:14.6667px;font-style:normal;font-variant-ligatures:normal; \
font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-i \
ndent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb \
(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Anonymous<span> \
communications to AD DCs. Is this a known issue or bug with Samba3, is there any \
solution to it ? Any parameters in smb.conf which solves it? Please advice. \
</span></span><br clear="all"></span></font><div><br></div><div><br></div><div>My \
smb.conf looks like bellow. \
</div><div><br></div><div><br></div><div><br></div><div><div>workgroup = \
EMEA</div><div> server string = SambaStorage</div><div> password server = <a \
href="http://EMEA.NET">EMEA.NET</a></div><div> passdb backend = tdbsam</div><div> \
smb encrypt = disabled</div><div> realm = <a \
href="http://EMEA.NET">EMEA.NET</a></div><div> security = ADS</div><div> \
interfaces = 192.168.85.124 192.168.85.127 127.0.0.1</div><div># interfaces = \
bond1:1 bond1:2 bond1 lo</div><div><br></div><div> bind interfaces only = \
no</div><div> local master = no</div><div> preferred master = no</div><div> \
os level = 33</div><div> dns proxy = yes</div><div> wins support = \
no</div><div> wide links = yes</div><div> unix extensions = \
no</div><div><br></div><div><br></div><div> log file = \
/var/log/samba/smb3x.log</div><div><br></div><div> max log size = \
50000</div><div><br></div><div><br></div><div> socket options = TCP_NODELAY \
IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE</div><div> deadtime = \
800</div><div><br></div><div><br></div><div> load printers = no</div><div> \
printcap name = /dev/null</div><div> disable spoolss = yes</div><div> winbind \
separator = +</div><div> winbind use default domain = true</div><div> winbind \
offline logon = false</div><div> username map = \
/etc/samba/smbusers.map</div><div> debug level = 1</div><div> smb ports = 139 \
445</div><div><br></div><div><br></div><div> netbios name = MYSAMBAX09</div><div> \
client use spnego = yes</div><div>#domain master = no</div><div> map to guest = \
bad uid</div><div> hide dot files = no</div><div> invalid users = \
netrun</div></div><div><br></div><div><br></div>-- <br><div \
class="gmail_signature"><div dir="ltr"><div>Thanks & Regards,<br>Shashi \
Kanth<br></div><div>9886455567</div></div></div> </div></div>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic