Disable "ntlm auth" by default

Andrew Bartlett abartlet at samba.org
Fri Jul 22 09:17:30 UTC 2016

On Fri, 2016-07-22 at 10:15 +0200, Stefan Metzmacher wrote:
> Hi,
> here're patches which change the default of the "ntlm auth"
> option from yes to no.
> Please review and push:-)

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.  This needs
to be called out in the docs.  Ideally we would have a tri-state here
to support this only when the MSV1_0_ALLOW_MSVCHAPV2 flag is specified
by a client. 

(I hate this flag on principle, because it perpetuates the use of
NTLMv1 rather than forcing MS to rev to a sane, secure VPN and 802.1x

Otherwise, I'm fine with this. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list