Shashi Kanth Boddula
2018-Apr-25 17:42 UTC
[Samba] CIFS Null Session Vulnerability Fix in Samba 3.5.10
Hi Everyone, I have Samba server 3.5.10 running on RHEL 5.8 platform and it has joined to our AD domain controller. Recently my Windows guys has done some changes to AD Security by stating " CIFS Null Session Vulnerability Fix via GPO - Security Requirement". After this change, my windows clients are not authenticating with domain credentials while accessing the shares, but nothing has changed on the Samba side. The "net ads" commands on the Samba server shows everything seems to be OK, but still Windows clients are not authenticating. The Windows guys are telling they have to make some AD GPO changes to avoid NULL or Anonymous connections coming in to the AD DC Servers. Can someone please tell me how i can solve this issue. How can i tell Samba to not to issue NULL/ Anonymous communications to AD DCs. Is this a known issue or bug with Samba3, is there any solution to it ? Any parameters in smb.conf which solves it? Please advice. My smb.conf looks like bellow. workgroup = EMEA server string = SambaStorage password server = EMEA.NET passdb backend = tdbsam smb encrypt = disabled realm = EMEA.NET security = ADS interfaces = 192.168.85.124 192.168.85.127 127.0.0.1 # interfaces = bond1:1 bond1:2 bond1 lo bind interfaces only = no local master = no preferred master = no os level = 33 dns proxy = yes wins support = no wide links = yes unix extensions = no log file = /var/log/samba/smb3x.log max log size = 50000 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE deadtime = 800 load printers = no printcap name = /dev/null disable spoolss = yes winbind separator = + winbind use default domain = true winbind offline logon = false username map = /etc/samba/smbusers.map debug level = 1 smb ports = 139 445 netbios name = MYSAMBAX09 client use spnego = yes #domain master = no map to guest = bad uid hide dot files = no invalid users = netrun -- Thanks & Regards, Shashi Kanth 9886455567
Volker Lendecke
2018-Apr-25 19:19 UTC
[Samba] CIFS Null Session Vulnerability Fix in Samba 3.5.10
On Wed, Apr 25, 2018 at 11:12:07PM +0530, Shashi Kanth Boddula via samba wrote:> I have Samba server 3.5.10 running on RHEL 5.8 platform and it has joinedYou should contact RedHat support for this. Upstream Samba 3.5 has been out of support since Oct 11, 2013. Regards, Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Shashi Kanth Boddula
2018-Apr-25 22:51 UTC
[Samba] CIFS Null Session Vulnerability Fix in Samba 3.5.10
Hi Volker, Reaching to RedHat is not the option for me right now, could you please tell me are there any configuration parameters in smb.conf which will avoid issuing NULL or Anonymous connections or sessions. On Thu, Apr 26, 2018 at 12:49 AM, Volker Lendecke <Volker.Lendecke at sernet.de> wrote:> On Wed, Apr 25, 2018 at 11:12:07PM +0530, Shashi Kanth Boddula via samba > wrote: > > I have Samba server 3.5.10 running on RHEL 5.8 platform and it has joined > > You should contact RedHat support for this. Upstream Samba 3.5 has > been out of support since Oct 11, 2013. > > Regards, Volker > > -- > SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen > phone: +49-551-370000-0, fax: +49-551-370000-9 > AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen > http://www.sernet.de, mailto:kontakt at sernet.de >-- Thanks & Regards, Shashi Kanth 9886455567