Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)

Andrew Bartlett abartlet at
Tue Dec 15 02:38:19 UTC 2015

On Mon, 2015-12-14 at 17:34 -0800, Jeremy Allison wrote:
> On Mon, Dec 14, 2015 at 05:17:59PM -0800, Jeremy Allison wrote:
> > Interesting post here:
> > 
> >
> > s-attacks/
> > 
> > Still reading it myself to try and understand
> > if it's a real issue of not, but thought the
> > list would be interested.
> Hmmm. Doesn't look real as far as I can see
> (the article is full of hyperbole).
> It's got lots of phrases like:
> "So, if we have an access to the key.."
> "if we’re able to steal those tickets and somehow
> insert them into our own system"
> "It’s just an account in domain controller
> database, so your obviously need access to DC or it’s data."
> So looks like a "if we can break the security
> then we've broken the security" article :-).
> Move along, nothing to see here, sorry for
> the noise.

More of a worry is that per one of the talks at KiwiCon, cracking an
NTLM (not NTLMv2) response is down to $100 and 8 hours on a cloud
computing provider.  That gives you the NT hash, which you can of
course use to get a krb5 ticket, or just do NTLM logins. 

I think we should disable NTLM (when not NTLMv2) for 4.4 by default,
possibly with an optional exception for MSCHAPv2.

(The MSCHAPv2 story is so, so sad, because we save our worst crypto for
our VPN connections...). 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list