Andrew Bartlett
2004-May-02 23:04 UTC
[Samba] Status on fixes for MS04-11/MS04-12/KB828741 issues
I realise that a large number of sites have been bitten by the bad interaction between this hotfix, and Samba. I have finally managed to spend some time looking into this, and have reproduced it in my test environment. There appears to be an issue with the NTLMSSP layer used by windows clients to wrap password change requests. Fortunately, I have also shown that it is possible to construct a shim involving Samba4's RPC proxy server, to correctly change passwords from these Windows clients. While certainly not a solution for a production environment, it shows us a means forward for fixing this issue, using existing code, and known algorithms. As you are all aware, with the Sasser worm out and about, applying this fix is no longer optional, and we are working hard on finding a solution. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040503/9cda6389/attachment.bin
Dan Hill
2004-May-03 02:20 UTC
[Samba] Status on fixes for MS04-11/MS04-12/KB828741 issues
Andrew Bartlett wrote:> I realise that a large number of sites have been bitten by the bad > interaction between this hotfix, and Samba. > > I have finally managed to spend some time looking into this, and have > reproduced it in my test environment. There appears to be an issue with > the NTLMSSP layer used by windows clients to wrap password change > requests. > > Fortunately, I have also shown that it is possible to construct a shim > involving Samba4's RPC proxy server, to correctly change passwords from > these Windows clients. > > While certainly not a solution for a production environment, it shows us > a means forward for fixing this issue, using existing code, and known > algorithms. > > As you are all aware, with the Sasser worm out and about, applying this > fix is no longer optional, and we are working hard on finding a > solution. > > Andrew Bartlett >Thanks to you and the entire Samba team for all the hard work put into the Samba project! ~Dan -- -------------------------- Dan Hill dwh6@cwru.edu --------------------------