Disabling LM authentication

Steve Langasek vorlon at netexpress.net
Mon Nov 27 19:12:45 GMT 2000

On Mon, 27 Nov 2000, Gerald Carter wrote:

> > Support for some of these options (and notes to 
> > indicate what matches to what in configuration files, 
> > or even better using the same numbers) would greatly 
> > enhance a networks security.

> > (Even just allowing the removal of LM passwords 
> > from the system would benefit system security, if it 
> > it known no Win9X clients intend to connect)

> To disabler lanman auth, you should be able to just change 
> the LanMan password hash field in smbpasswd to 
> 'XXXXX...' (32 X's) but leave the NT Hash intact.

However, this would not prevent the client from attempting to negotiate lanman
auth, or the server from accepting them; it would just mean that the client
would be denied access.  Depending on where your security concerns lie
(sniffing vs. brute-forcing), removing the LanMan passwords from the smbpasswd
database may not provide any security improvement.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list