Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7094: Is Samba badlock have an affect with adsmb?

30 June,16 at 11:27 PM

Applies to:  Centrify Enabled Samba 

Question:

Samba Badlock is specifically a Samba vulnerability, but Centrify itself uses those RPC subprotocols via 'adsmb',  Has the adsmb component been tested against the vulnerabilities associated with Samba?  Is there an assurance that the Samba related issues due to SMB protocol vulnerability are not present in adsmb?


Answer:

To answer the above question, Engineering assured the following:
  • adsmb does not use DCE-RPC at all.  It uses SMB transport directly (note that DCE-RPC is on top of SMB).  There fore the issue with RPC is not relevant.
  • adsmb uses kerberos authentication to establish connection with DC or Samba server.
  • adsmb enforces SMB signing, it will close connection on signature mismatch.
  • DirectControl always enforces LDAP integrity, by default we use LDAP privacy (encrypted). 
  • All the vulnerability involves attacking server by using some hi-jacking mechanism to dumb protocol down, for example, not require signing, or connect without credential.  On the server end (Domain Controller and Samba) this is fixed by Samba.org and Microsoft.
Please note on the following circumstances:
  • If customer is running Centrify DirectControl version 5.3.0 and lower, Support recommend to upgrade to Suite 2016.1 (CDC 5.3.1) where there is bug fix for SMB signing area.
  • SMB3 (encrypted SMB) and Kerberos Armoring (FAST) is currently NOT supported in Suite 2016.1 and earlier releases, Centrify Engineering are working on Kerberos library upgrade in Suite 2017 in order to support these 2 features.




 

Related Articles

 articleKB-6731: Impact of Badlock (CVE-2016-0128/CVE-2016-2118) on Centrify-Enabled Samba articleKB-6834: Additional configuration steps for deploying Adbindproxy on RHEL 7 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6842: Overview of the steps to upgrade or migrate from Centrify-enabled Samba to stock Samba with Centrify Adbindproxy articleKB-1795: Does Samba security alert CVE-2010-3069 affect Centrify_Enabled_Samba ?