Environment
Situation
Resolution
The easiest solution is to set client SMB packet signing on the Change Guardian server to "auto." Whether SMB packet signing is required will be determined by the settings on the Windows Agent machine.
Add configuration option client ipc signing = auto in the [global] section of the samba configuration file /etc/samba/smb.conf.
SOLUTION 2:
The more secure solution is to tighten the security settings on all of the Windows Agent machines. This can be done using group policy in an Active Directory environment. In this scenario, you can leave the client SMB signing setting on the Change Guardian server set to "mandatory," which is now the default value if the setting is not present in the configuration file. SMB packet signing will be required for all Windows Agent connections.
Note: This approach is more secure but may degrade performance up to 15 percent on file service transactions.
Server SMB signing can be configured for Windows machines in an AD environment using group policy by enabling either of the following security options under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options:
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
For Windows machines not in an AD environment, the security settings can be configured locally on the machine using the Local Security Policy snapin found under Administrative Tools.
Cause
The
samba-client package has been updated in SUSE Linux Enterprise Server SP4 to
address the Badlock vulnerability, which is associated with multiple CVEs and
could lead to a man-in-the-middle or denial of service attack. See http://badlock.org/ for more details. The
samba-client update changes the default client SMB signing setting on the
Change Guardian host from "auto" to "mandatory." Except for
domain controllers, Window OS default settings do not require SMB packet signing
and therefore samba communications between non-domain controller Windows
machines and the Change Guardian servers fail. Change Guardian (Windows) Agent
Management depends on samba communications and therefore does not work.