Disabling LM authentication

Gerald Carter gcarter at valinux.com
Mon Nov 27 17:51:31 GMT 2000


Andrew Bartlett wrote:
> 
> Can samba process NTLMv2 passwords?  (If not, is the 
> effort considerable?)

The code for initial ntlmv2 support in is the old 
SAMBA_TNG branch.  We just needed the people (resources)
to bring it over.  Not really something you can pick up in
a weekend. :-)

> Does samba currently store NTLMv2 passwords?

My limited understanding of ntlmv2 is not than the 
passwords are any different.  It is just the the protocol
allow for different negotiation options to prevent 
man-in-the-middle attacks among other things. 

> Does samba support the 128bit encryption (is this 
> SSL? or something else)

I think Luke figured out 40-bit encryption for NTLMv2.
Luke wrote a paper on some of this for the past LISA-NT
conference.  I'll see if I can find it online somewhere.

> Support for some of these options (and notes to 
> indicate what matches to what in configuration files, 
> or even better using the same numbers) would greatly 
> enhance a networks security.
> 
> (Even just allowing the removal of LM passwords 
> from the system would benefit system security, if it 
> it known no Win9X clients intend to connect)

To disabler lanman auth, you should be able to just change 
the LanMan password hash field in smbpasswd to 
'XXXXX...' (32 X's) but leave the NT Hash intact.









Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )






More information about the samba-technical mailing list