[Eisfair] Client/PDC Samba 15.0.0. (4.17.9)

Thomas Bork tom at eisfair.org
Di Jul 18 15:05:34 CEST 2023 

Am 18.07.2023 um 09:19 schrieb Marcus Röckrath:

> min client protocol (client min protocol, das ist IMHO egal)
> hinaus.
> Steht bei uns schon seit Urzeiten auf CORE.

Nö:

pvscsi # testparm -sv | grep protocol
Load smb config files from /etc/smb.conf
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_PDC

         client ipc max protocol = default
         client ipc min protocol = default
         client max protocol = default
         client min protocol = SMB2_02
         server max protocol = SMB3
         server min protocol = SMB2_02



Nur mit SAMBA_COMPAT:

pvscsi # testparm -sv | grep protocol
Load smb config files from /etc/smb.conf
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
lpcfg_do_global_parameter: WARNING: The "lanman auth" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client lanman auth" option is 
deprecated
lpcfg_do_global_parameter: WARNING: The "client plaintext auth" option 
is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is 
deprecated
lpcfg_do_global_parameter: WARNING: The "allow nt4 crypto" option is 
deprecated
lpcfg_do_global_parameter: WARNING: The "raw ntlmv2 auth" option is 
deprecated
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is 
deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

WARNING: The 'client ipc signing' value may mean SMB signing is not used 
when contacting a domain controller or other server. This setting is not 
recommended; please be aware of the security implications when using 
this configuration setting.

idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

WARNING: You have not configured 'allow nt4 crypto = no' (the default). 
Your server is vulernable to CVE-2022-38023 and others!
If required use individual 'allow nt4 crypto:COMPUTERACCOUNT$ = yes' options

WARNING: You have not configured 'require strong key = yes' (the 
default). Your server is vulernable to CVE-2022-38023
If required use individual 'require strong key:NETBIOSDOMAIN = no' options

Server role: ROLE_DOMAIN_PDC

         client ipc max protocol = default
         client ipc min protocol = default
         client max protocol = default
         client min protocol = CORE
         server max protocol = SMB3
         server min protocol = LANMAN1

-- 
der tom

Mehr Informationen über die Mailingliste Eisfair