[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Andrew Bartlett abartlet at samba.org
Sat Apr 17 15:51:18 MDT 2010


On Sat, 2010-04-17 at 08:50 -0500, Steve French wrote:
> On Sat, Apr 17, 2010 at 5:29 AM, Jeff Layton <jlayton at samba.org> wrote:

> > In any case, I think the right solution is just to have CIFS always use
> > extended session security and NTLMv2.
> 
> This is a good idea - I had been planning to rip the NTLM code
> out of SMB2 (simplifies things, and SMB2 is only NTLMSSP or krb5/SPNEGO)
> and this will probably make the code more consistent if we don't do
> NTLM in NTLMSSP for cifs as well (although plenty of cifs servers don't
> support NTLMv2 we probably would never have to use NTLMSSP to them)

I strongly encourage you not to do this.  You should always use NTLMSSP,
but I would always support at least NTLMSSP with NTLM2 to those servers.
It is much more secure than raw NTLM. 

You should do NTLMv2 by default, but it is far more fragile than the
older versions, and you will find incompatibilities. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100418/3cc1c3ac/attachment.pgp>


More information about the samba-technical mailing list