[prev in list] [next in list] [prev in thread] [next in thread]
List: samba
Subject: Re: [Samba] NTLMSSP Sign/Seal - using NTLM1
From: Vincent via samba <samba () lists ! samba ! org>
Date: 2023-08-25 19:07:30
Message-ID: CAMj4T0zgzsNbgL4boRDBcXe=V1UJTZ=N+Eo+2UBHo0hUWpj1Qg () mail ! gmail ! com
[Download RAW message or body]
Could CVE-2022-38023 be impacting this issue (
https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25)?
Samba version 4.7.12 is in use, and per the Samba advisory on this issue (
https://www.samba.org/samba/security/CVE-2022-38023.html), a change to
smb.conf was made:
server schannel require seal = yes # the default
This configuration option is not supported within 4.7.12.
On Thu, Aug 24, 2023 at 10:32 AM Vincent <techburgher@gmail.com> wrote:
> So, curiously, it *appears* the following may have sped up the mount:
>
> -
>
> Manually modified the smb.conf file, where the following changes were
> made: Added:
> -
>
> client NTLMv2 auth = yes
> -
>
> client min protocol = SMB2_02
> -
>
> From a Linux client, performed a cifs mount, forcing the following
> parameters (ntlmssp,vers=3.0)
>
> Unfortunately, connections from a Windows client are still slow. I am not
> sure if it is possible to make a comparable "mount", from Windows, similar
> to the one performed on the Linux client.
>
> On Tue, Jul 11, 2023 at 3:49 AM Rowland Penny via samba <
> samba@lists.samba.org> wrote:
>
> >
> >
> > On 10/07/2023 22:15, Vincent via samba wrote:
> > > Samba is running on SUSE Linux Enterprise High Performance Computing,
> > > kernel 5.3.18-22-default.
> > >
> > > Yes, it is a domain member, but there are no ancillary services of
> > which I
> > > am aware.
> > >
> > > The smb.conf is as follows:
> > >
> > > [global]
> > > clustering = Yes
> > > getwd cache = No
> > > kernel change notify = No
> > > max log size = 100000
> > > netbios name = TEST-SMB
> > > realm = TEST.COM
> > > security = ADS
> > > server min protocol = SMB2_02
> > > server string = "TEST-SMB"
> > > workgroup = TESTNET
> > > idmap config * : range = 4290000001-4291000000
> > > idmap config abbvienet : unix_nss_info = yes
> > > idmap config abbvienet : unix_primary_group = yes
> > > idmap config abbvienet : schema_mode = rfc2307
> > > idmap config abbvienet : range = 0-4290000000
> > > idmap config abbvienet : backend = ad
> > > idmap config * : backend = autorid
> > > allocation roundup size = 0
> > > kernel share modes = No
> > > posix locking = No
> > > read only = No
> > > veto files = /.snapshots/
> > >
> >
> > Is this part of a cluster ?
> > If it is, I would have expected to see more 'cluster' related
> > parameters, but I am no cluster expert.
> >
> > Is the workgroup actually 'TESTNET', or is that just a placeholder for '
> > ABBVINET' ?
> > If your workgroup is really 'ABBVINET', then why are you using both the
> > 'autorid' and 'ad' idmap backends ?
> >
> > If you only want to use the SMBv2 protocol as a minimum, I would also
> > set 'client min protocol = SMB2_02', with that set, SMBv1 will not be
> > used.
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic