authpolicy: Run smb.conf and krb5.conf by security experts |
||||||
Issue descriptionThe current version was discussed with jra@.
,
Nov 22 2016
,
Dec 19 2016
,
Jan 17 2017
,
Jan 18 2017
jra@ gave his blessing for the following conf files:
smb.conf:
[global]
netbios name = <machine name>
security = ADS
workgroup = <workgroup name>
realm = <realm>
lock directory = /tmp/authpolicyd/samba/lock
cache directory = /tmp/authpolicyd/samba/cache
state directory = /tmp/authpolicyd/samba/state
private directory = /tmp/authpolicyd/samba/private
kerberos method = secrets and keytab
client signing = mandatory
client min protocol = SMB2
client max protocol = SMB3
client ipc min protocol = SMB2
client schannel = yes
client ldap sasl wrapping = sign
krb5.conf:
[libdefaults]
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
allow_weak_crypto = false
clockskew = 300
default_realm = <realm>
,
Jan 20 2017
I believe you added one more config option since this was filed?
,
Jan 20 2017
Correct. 'kerberos encryption types = strong' was added:
smb.conf:
[global]
netbios name = <machine name>
security = ADS
workgroup = <workgroup name>
realm = <realm>
lock directory = /tmp/authpolicyd/samba/lock
cache directory = /tmp/authpolicyd/samba/cache
state directory = /tmp/authpolicyd/samba/state
private directory = /tmp/authpolicyd/samba/private
kerberos method = secrets and keytab
kerberos encryption types = strong
client signing = mandatory
client min protocol = SMB2
client max protocol = SMB3
client ipc min protocol = SMB2
client schannel = yes
client ldap sasl wrapping = sign
,
Jan 26 2017
Jorge flipped the security bit.
,
Jul 6 2017
bulk Verify of Chromad V1 bugs |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by tnagel@chromium.org
, Nov 21 2016