Adam Błaszczykowski
2023-Oct-23 10:02 UTC
[Samba] Low performance when using "server signing" = "mandatory"
Ok thank you. So, Is my file server with Samba 4.17.12 vulnerable to CVE-2016-2114 if it is not a DC server? To be clear, I don't use any Active Directory domain controller in my network. Best regards. Adam Blaszczykowski pon., 23 pa? 2023 o 10:20 Rowland Penny via samba <samba at lists.samba.org> napisa?(a):> On Mon, 23 Oct 2023 09:54:47 +0200 > Adam B?aszczykowski via samba <samba at lists.samba.org> wrote: > > > Hello, > > I have updated my system to Debian 12 with Samba 4.17.12, but the > > problem with performance still exist. > > On the Samba page there is a note in the CVE-2016-2114 description: > > "Note that the default for server roles other than active directory > > domain controller, is "off" because of performance reasons." > > https://www.samba.org/samba/security/CVE-2016-2114.html > > > > Does it mean that using "server signing = required" for file server > > with "server role = standalone" doesn't increase security and only > > cause problems with performance ? > > No, what it is saying is, from my understanding, that it is set to off > by default on everything but a DC because of the very problem you are > suffering, whilst you get better security, it just slows everything > down. > > Also, I have never understood why anyone would run a standalone server > in a domain, you lose everything a domain gives you. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2023-Oct-23 10:29 UTC
[Samba] Low performance when using "server signing" = "mandatory"
On Mon, 23 Oct 2023 12:02:20 +0200 Adam B?aszczykowski via samba <samba at lists.samba.org> wrote:> Ok thank you. > So, Is my file server with Samba 4.17.12 vulnerable to CVE-2016-2114 > if it is not a DC server? > > To be clear, I don't use any Active Directory domain controller in my > network.Lets see if I can paraphrase the documentation for CVE-2016-2014 (which is very old now). There was a bug before 4.4.0 that allowed SMBv1 clients to be possibly vulnerable to M-I-M attacks, this was fixed, but 'server signing' (according to the CVE) is set to 'off' for performance reasons. If you examine 'man smb.conf', you find this, under 'server signing': For the SMB2 protocol, by design, signing cannot be disabled. Samba, by default, now uses SMBv2, so you do not, in my opinion, have anything to worry about, unless you have turned SMBv1 on again. Rowland
Apparently Analagous Threads
- Low performance when using "server signing" = "mandatory"
- Low performance when using "server signing" = "mandatory"
- Low performance when using "server signing" = "mandatory"
- Low performance when using "server signing" = "mandatory"
- Low performance when using "server signing" = "mandatory"