diff options
author | Karolin Seeger <kseeger@samba.org> | 2010-12-17 20:39:57 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2010-12-27 17:00:24 +0100 |
commit | 08401ffd3e679e16bcf85c4e30b3efdedc40a1aa (patch) | |
tree | 0c641d889f14269a938d9de3af5d2b80563f1768 | |
parent | 706d479b21c0819063a555e6c8ae244df503f698 (diff) | |
download | samba-08401ffd3e679e16bcf85c4e30b3efdedc40a1aa.tar.gz samba-08401ffd3e679e16bcf85c4e30b3efdedc40a1aa.tar.bz2 samba-08401ffd3e679e16bcf85c4e30b3efdedc40a1aa.zip |
WHATSNEW: Add information on changed security defaults.
Thanks to Andrew Bartlett for providing this text!
(cherry picked from commit 2e867d9db26865012c8a210331c0f0541024f57f)
-rw-r--r-- | WHATSNEW.txt | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 63f35e4354..14aa176ef1 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -13,6 +13,40 @@ system at https://bugzilla.samba.org/. Major enhancements in Samba 3.6.0 include: +Changed security defaults +------------------------- + +Samba 3.6 has adopted a number of improved security defaults that will +impact on existing users of Samba. + + client ntlmv2 auth = yes + client use spnego principal = no + send spnego principal = no + +The impact of 'client ntlmv2 auth = yes' is that by default we will not +use NTLM authentication as a client. This applies to the Samba client +tools such as smbclient and winbind, but does not change the separately +released in-kernel CIFS client. To re-enable the poorer NTLM encryption +set '--option=clientusentlmv2auth=no' on your smbclient command line, or +set 'client ntlmv2 auth = no' in your smb.conf + +The impact of 'client use spnego principal = no' is that we may be able +to use Kerberos to communicate with a server less often in smbclient, +winbind and other Samba client tools. We may fall back to NTLMSSP in +more situations where we would previously rely on the insecure +indication from the 'NegProt' CIFS packet. This mostly occursed when +connecting to a name alias not recorded as a servicePrincipalName for +the server. This indication is not available from Windows 2008 or later +in any case, and is not used by modern Windows clients, so this makes +Samba's behaviour consistent with other clients and against all servers. + +The impact of 'send spnego principal = no' is to match Windows 2008 and +not to send this principal, making existing clients give more consistent +behaviour (more likely to fall back to NTLMSSP) between Samba and +Windows 2008, and between Windows versions that did and no longer use +this insecure hint. + + SMB2 support ------------ |