ntlmv2 authentication for servide side
David Collier-Brown
David.Collier-Brown at Sun.COM
Mon Oct 24 14:31:38 GMT 2005
I'd suggest it be named something like "minimum lm level"
and add one for maximum level, like we did with
min and max protocol.
This handles both the security problems (preventing
use of old insecure and buggy), and the introduced-bug
problem (preventing use of new, insecure and buggy (;-)).
--dave
Michael B Allen wrote:
> On Sun, 23 Oct 2005 22:08:51 +1000
> Andrew Bartlett <abartlet at samba.org> wrote:
>
>
>>On Fri, 2005-10-21 at 15:36 -0700, Jeremy Allison wrote:
>>
>>>On Sat, Oct 22, 2005 at 01:10:06AM +0530, nagendra.shivaramaiah at wipro.com wrote:
>>>
>>>>hi all,
>>>>
>>>> I would like to know if there is any configuration parameter in samba to make ntlmv2 authentication mandatory on the server side to accept only ntlmv2 type connection requests. Also, is it essential to have "auth methods = sam" for this kind of setup. currently using samba 3.0.14a. I am aware that it could be done on the client side by tweaking the registry to send ntlmv2 requests only. Any information on having a similar setup on the server side is what I am looking for.
>>>
>>>There isn't such a setting right now, but it shouldn't
>>>be too hard to add one. I'll look into it - it'll be a
>>>parameter like "server ntlmv2 = mandatory".
>>
>>The setting is 'ntlm auth = no' and 'lanman auth = no', leaving ntlmv2
>>as the remaining option. I would be happy with 'ntlmv2 auth =
>>mandetory' as a synonym to these.
>
>
> Or have 'lmcompatibility = N' where N is the usual numbers (from MS
> website):
>
> ___ Level 0 - Send LM and NTLM response; never use NTLM 2 session
> security. Clients use LM and NTLM authentication, and never use
> NTLM 2 session security; domain controllers accept LM, NTLM,
> and NTLM 2 authentication.
> ___ Level 1 - Use NTLM 2 session security if negotiated. Clients
> use LM and NTLM authentication, and use NTLM 2 session security
> if the server supports it; domain controllers accept LM, NTLM,
> and NTLM 2 authentication.
> ___ Level 2 - Send NTLM response only. Clients use only NTLM
> authentication, and use NTLM 2 session security if the server
> supports it; domain controllers accept LM, NTLM, and NTLM 2
> authentication.
> ___ Level 3 - Send NTLM 2 response only. Clients use NTLM 2
> authentication, and use NTLM 2 session security if the server
> supports it; domain controllers accept LM, NTLM, and NTLM 2
> authentication.
> ___ Level 4 - Domain controllers refuse LM responses. Clients use
> NTLM authentication, and use NTLM 2 session security if the
> server supports it; domain controllers refuse LM authentication
> (that is, they accept NTLM and NTLM 2).
> ___ Level 5 - Domain controllers refuse LM and NTLM responses (accept
> only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2
> session security if the server supports it; domain controllers
> refuse NTLM and LM authentication (they accept only NTLM 2).
>
> Mike
>
--
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb at canada.sun.com | -- Mark Twain
(416) 263-5733 (x65733) |
More information about the samba-technical
mailing list