zachary.loafman at isilon.com
Mon Nov 26 17:00:07 GMT 2007
> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org]
> Sent: Monday, November 26, 2007 6:07 AM
> To: Andrew Bartlett
> Cc: Zachary Loafman; Volker.Lendecke at SerNet.DE; samba-
> technical at lists.samba.org
> Subject: Re: NTLMv2
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Andrew Bartlett wrote:
> > I would be very happy to see Samba 3.2 move to NTLMv2
> > only, but we should clearly document how to disable it
> > when not supported. Certainly vendors with much
> > tighter support arrangements with their customers
> > could do so with greater certainty than perhaps we
> > could for upstream Samba.
> IIRC Samba domain controllers would be fine with this. What
> Windows servers/DCs would this break?
NTLMv2 auth is supported on NT4 SP4 and 2k onward. If a Samba DC works fine with it, then it's a pretty safe default.
The only trick is that the Samba code uses the same parameter for the client-talking-to-random-server role as it does for the server-talking-to-a-DC role. I think the latter role is safe to default to NTLMv2 at this point, but defaulting all clients would certainly be riskier.
More information about the samba-technical