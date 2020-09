server schannel = yes

Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to talk to domain controllers [...]

Users running Samba as a file server should still patch to ensure the server-side mitigations (banning certain un-random values) do not very rarely impact service.

The published proof of concept exploit for this issue only attempts to authenticate to the NetLogon service but does not attempt a takeover of the domain.

On domains with 'server schannel = yes', these tests claim to show a vulnerability against Samba despite being unable to access any privileged functionality.

The 'server schannel = yes' smb.conf line is equivalent to Microsoft's 'FullSecureChannelProtection=1' registry key, the introduction of which we understand forms the core of Microsoft's fix.

Volgens https://www.samba.org/samba/security/CVE-2020-1472.html is Samba vanaf versie 4, indien gebruikt als Domain Controller, kwetsbaarsmb.conf bevat:Vanaf Samba v4.8 is dat de default, maar zou vanwege compatibiliteitsproblemen (of vermoeden/angst daarvoor) kunnen zijn aangepast door een beheerder.Ook uit de Samba advisory (advies: lees deze helemaal):Microsoft serverbeheerders moeten niet vergeten om, naast patchen, tevens de genoemde registerwijziging door te voeren!