Andrew Bartlett abartlet at samba.org
Mon Nov 26 01:34:23 GMT 2007

On Mon, 2007-11-19 at 08:56 -0800, Zachary Loafman wrote:
> > -----Original Message-----
> > From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> > 
> > >> if the negotiation says it's allowed?
> > >
> > > At least I don't see any. Maybe abartlet wants to comment
> > > here?
> > 
> > I didn't think NTLMv2 was negotiated.
> Yeah, I discovered after my first message that the NTLM2 flag was for NTLM2 session support.
> This could be queried out of the group policy, but is there a known
> case where a DC will offer NTLM2-session-support but not be able to
> handle NTLMv2-auth? If so, use of NTLMv2 auth could be keyed off
> whether the DC was offering NTLM2 session, and realistically, NTLMv2
> auth is supported by 99.9% of the MS DCs out there.

In theory, the intermediate server might offer NTLM2 session security,
but the DC behind it might not.

For Samba 3.2 we agreed (I think on the team list) to stricter defaults
on what we would send by default, but not as far as NTLMv2.  We have
lagged Microsoft's changed defaults in this area in the past, and I
didn't want to rock the boat.

I would be very happy to see Samba 3.2 move to NTLMv2 only, but we
should clearly document how to disable it when not supported.  Certainly
vendors with much tighter support arrangements with their customers
could do so with greater certainty than perhaps we could for upstream

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20071126/4f6aaf1d/attachment.bin

More information about the samba-technical mailing list