Can samba mitigate the vulnerability of NT hashes?
Christopher R. Hertel
crh at samba.org
Wed Jan 9 16:04:33 MST 2013
On 01/09/2013 04:47 PM, David Collier-Brown wrote:
> On 01/09/2013 04:29 PM, Christopher R. Hertel wrote:
>> Dave,
>>
>> There is information in my book about the settings used to force
>> LMv2/NTLMv2 authentication. Note that there is no negotiation, so the
>> client in particular has to be configured to disallow v1.
>
> Bother! I was really rather hoping that we could offer only the "good
> NTLMs" in a negotiation and thereby have the older clients behave securely.
Well... the way to enforce this is to have the servers require LMv2/NTLMv2.
I suppose that Samba could be made to accept only NTLMv2. In that case,
clients that use LMv1/NTLMv1 would fail to authenticate, thus prompting a
wringing of hands and an outcry from the masses to please allow us to run
naked on the Internet with big signs saysing "shoot me now, shoot me now".
Eventually, those clients would be configured to use the better
authentication mechanisms, possibly bypassing NTLMv2 and going straight to
Kerberos or somesuch.
I believe, in fact, that Windows servers may already come configured out of
the box to accept only LMv2/NTLMv2, but I'm not certain. Worth checking.
> Ah well, let us hope the MS sends a patch to make XP clients prefer the
> more secure approach.
A patch won't do it. It's a registry setting. In a domain, it can be
enforced using GPOs, I believe.
Chridz -)-----
> Thanks, Chris!
>
> --dave (once more, a fact slays a wonderful, but incorrect, theory) c-b
>
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list