Disable "ntlm auth" by default
abartlet at samba.org
Fri Jul 22 09:51:17 UTC 2016
On Fri, 2016-07-22 at 11:36 +0200, Stefan Metzmacher wrote:
> Am 22.07.2016 um 11:17 schrieb Andrew Bartlett:
> > On Fri, 2016-07-22 at 10:15 +0200, Stefan Metzmacher wrote:
> > > Hi,
> > >
> > > here're patches which change the default of the "ntlm auth"
> > > option from yes to no.
> > >
> > > Please review and push:-)
> > The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. This
> > needs
> > to be called out in the docs. Ideally we would have a tri-state
> > here
> > to support this only when the MSV1_0_ALLOW_MSVCHAPV2 flag is
> > specified
> > by a client.
> I've added notes regarding "The primary user of NTLMv1 is MSCHAPv2
> VPNs and 802.1x".
> But I think magic regarding the MSV1_0_ALLOW_MSVCHAPV2 flag, is a
> for another day.
Agreed. It would need good tests etc, more than we can do for now, and
this is easy to spot and fix on upgrade.
> Is the attached version fine for master/4.5 now?
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical