Ignore:
Timestamp:
Jun 9, 2016, 2:17:22 PM (9 years ago)
Author:
Silvan Scherrer
Message:

Samba Server: apply latest security patches to vendor

Location:
vendor/current/docs-xml/smbdotconf
Files:
4 added
4 edited

Legend:

Unmodified
Added
Removed

  • vendor/current/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml

    r414 r919  
    3535
    3636        <para>
    37         The default value is <emphasis>plain</emphasis> which is not irritable
    38         to KRB5 clock skew errors. That implies synchronizing the time
    39         with the KDC in the case of using <emphasis>sign</emphasis> or
    40         <emphasis>seal</emphasis>.
     37        The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
     38        with the KDC in the case of using <emphasis>Kerberos</emphasis>.
    4139        </para>
    4240</description>
    43 <value type="default">plain</value>
     41<value type="default">sign</value>
    4442</samba:parameter>

  • vendor/current/docs-xml/smbdotconf/protocol/clientusespnego.xml

    r414 r919  
    1010    3.0) to agree upon an authentication
    1111    mechanism.  This enables Kerberos authentication in particular.</para>
     12
     13    <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
     14    <constant>yes</constant> extended security (SPNEGO) is required
     15    in order to use NTLMv2 only within NTLMSSP. This behavior was
     16    introduced with the patches for CVE-2016-2111.</para>
    1217</description>
    1318

  • vendor/current/docs-xml/smbdotconf/security/clientntlmv2auth.xml

    r917 r919  
    2929    'best practice' security polices) only allow NTLMv2 responses, and
    3030    not the weaker LM or NTLM.</para>
     31
     32    <para>When <smbconfoption name="client use spnego"/> is also set to
     33    <constant>yes</constant> extended security (SPNEGO) is required
     34    in order to use NTLMv2 only within NTLMSSP. This behavior was
     35    introduced with the patches for CVE-2016-2111.</para>
    3136</description>
    3237<value type="default">yes</value>

  • vendor/current/docs-xml/smbdotconf/security/clientsigning.xml

    r414 r919  
    1313    When set to mandatory, SMB signing is required and if set
    1414        to disabled, SMB signing is not offered either.
     15
     16    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
     17    <smbconfoption name="client ipc signing"/> option.</para>
    1518</para>
    1619</description>
Note: See TracChangeset for help on using the changeset viewer.