Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7094: Is Samba badlock have an affect with adsmb?

Centrify DirectControl ,   Centrify DirectControl Plugins ,  

30 June,16 at 11:27 PM

Applies to:  Centrify Enabled Samba 

Question:

Samba Badlock is specifically a Samba vulnerability, but Centrify itself uses those RPC subprotocols via 'adsmb',  Has the adsmb component been tested against the vulnerabilities associated with Samba?  Is there an assurance that the Samba related issues due to SMB protocol vulnerability are not present in adsmb?


Answer:

To answer the above question, Engineering assured the following:
  • adsmb does not use DCE-RPC at all.  It uses SMB transport directly (note that DCE-RPC is on top of SMB).  There fore the issue with RPC is not relevant.
  • adsmb uses kerberos authentication to establish connection with DC or Samba server.
  • adsmb enforces SMB signing, it will close connection on signature mismatch.
  • DirectControl always enforces LDAP integrity, by default we use LDAP privacy (encrypted). 
  • All the vulnerability involves attacking server by using some hi-jacking mechanism to dumb protocol down, for example, not require signing, or connect without credential.  On the server end (Domain Controller and Samba) this is fixed by Samba.org and Microsoft.
Please note on the following circumstances:
  • If customer is running Centrify DirectControl version 5.3.0 and lower, Support recommend to upgrade to Suite 2016.1 (CDC 5.3.1) where there is bug fix for SMB signing area.
  • SMB3 (encrypted SMB) and Kerberos Armoring (FAST) is currently NOT supported in Suite 2016.1 and earlier releases, Centrify Engineering are working on Kerberos library upgrade in Suite 2017 in order to support these 2 features.




 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.