Can samba mitigate the vulnerability of NT hashes?

David Collier-Brown davec-b at rogers.com
Wed Jan 9 08:40:22 MST 2013


Cool: you guys are solving Windows problems before they are even
discovered (:-))

I've forwarded Laurent's comment to Slashdot, and suggested folks there
consider setting up a virtual server using v2 to migrate unbroken
services to.  Are there many things (some older IEs, for example) that
break with v2? It might be mice to default to the most modern setting
one can...

--dave

On 01/09/2013 09:55 AM, laurent gaffie wrote:
> Hi Dave,
> 
> See :
> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#NTLMAUTH
> 
> Also, forcing NTLMv2 authentication won't stop offline cracking attacks
> if you don't use strong passwords.
> 
> Regards,
> 
> 2013/1/9 David Collier-Brown <davec-b at rogers.com
> <mailto:davec-b at rogers.com>>
> 
>     Slashdot was all a-twitter about Mark Gamache's tutorial on breaking
>     NTLM hashes (see
>     http://markgamache.blogspot.com/2013/01/ntlm-challenge-response-is-100-broken.html)
> 
>     I know we have long supported NTLMv2, but does the protocol allow a
>     Samba server to convince a client to *only* use NTLMv2, the version that
>     is not susceptible to this particular attack?
> 
>     If so that would be A Kind Thing to do for the community...
> 
>     --dave
>     --
>     David Collier-Brown,         | Always do right. This will gratify
>     System Programmer and Author | some people and astonish the rest
>     davecb at spamcop.net <mailto:davecb at spamcop.net>           |          
>                -- Mark Twain
>     (416) 223-8968 <tel:%28416%29%20223-8968>
> 
> 


-- 
David Collier-Brown,         | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net           |                      -- Mark Twain
(416) 223-8968


More information about the samba-technical mailing list