Ok, i added more than 50 rows like server reject md5 ecc.ecc.ecc.
Now logs are clean, but, before upgrade this not happened
thanks
-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny
via samba
Inviato: gioved? 30 marzo 2023 14:38
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: upgrade from 4.17 to samba 4.18.1
On 30/03/2023 13:20, Corrado Ravinetto via samba wrote:> Mmmmm
> Strange i checked my smb.conf before upgrade and no one parameter is
present.
> Now i added
> allow nt4 crypto = yes
> reject md5 clients = no
>
> but nothing change in my logs:
>
> Mar 30 14:09:58 dc3 samba[1879231]: [2023/03/30 14:09:58.225659, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:357(dcesrv_netr_Se
> rverAuthenticate3_check_downgrade)
> Mar 30 14:09:58 dc3 samba[1879231]: CVE-2022-38023: Check if option
'server reject md5 schannel:ARRQUADRO_2_16$ = no' might be needed for a
legacy client.
> Mar 30 14:09:58 dc3 samba[1879237]: [2023/03/30 14:09:58.795431, 0]
> ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:1567(dcesrv_netr_L
> ogonSamLogon_base_reply) Mar 30 14:09:58 dc3 samba[1879237]:
> dcesrv_netr_LogonSamLogon_base_reply:
> netlogon_creds_encrypt_samlogon_validation() failed -
> NT_STATUS_INVALID_INFO_CLASS
>
>
I could be totally wrong here, but, from my reading of that CVE, I think you
should be adding lines like this to your smb.conf, instead of what you have
added:
server reject md5 schannel:ARRQUADRO_2_16$ = no
Then see if you can upgrade ARRQUADRO_2_16 to use a better cipher.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Corrado Ravinetto
Sistemi informativi
corrado.ravinetto at lanificiocerruti.com <mailto:corrado.ravinetto at
lanificiocerruti.com>
T: +39 015 3591283
[Lanificio F.lli CERRUTI]
Lanificio F.lli Cerruti S.p.A.
Via Cernaia 40, 13900 - Biella (BI) Italy
www.lanificiocerruti.com <http://www.lanificiocerruti.com/>
[Twitter] <https://twitter.com/Lan_Cerruti> [Facebook]
<https://www.facebook.com/LanificioCerruti> [Instagram]
<https://www.instagram.com/lanificiocerruti/>
Rispetta l'ambiente, non stampare questa mail se non necessario
Respect the environment, don't print unless necessary
[Unesco]