Disable "ntlm auth" by default

Matthew Newton mcn4 at leicester.ac.uk
Fri Jul 22 10:11:46 UTC 2016


On Fri, Jul 22, 2016 at 11:36:09AM +0200, Stefan Metzmacher wrote:
> Am 22.07.2016 um 11:17 schrieb Andrew Bartlett:
> > On Fri, 2016-07-22 at 10:15 +0200, Stefan Metzmacher wrote:
> >> here're patches which change the default of the "ntlm auth"
> >> option from yes to no.
> > 
> > The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.  This needs
> > to be called out in the docs.  Ideally we would have a tri-state here
> > to support this only when the MSV1_0_ALLOW_MSVCHAPV2 flag is specified
> > by a client. 
> I've added notes regarding "The primary user of NTLMv1 is MSCHAPv2 for
> VPNs and 802.1x".

A view from another side...

There are a lot of people using FreeRADIUS and Samba to
authenticate (mostly wireless) connections with 802.1X, and it
comes up on the FR lists quite a lot.

Disabling NTLMv1 is a good thing, but I'm sure it would be
appreciated if the notices informing people of this were as clear
as possible, to save more questions on the list of "why did
FreeRADIUS break when I upgraded Samba" :-)

The above is good, but I'm not sure whether people would
associate it quickly with "upgrading to this Samba will break my
wireless authentication".

Is this alternative too long-winded?

  The primary use of NTLMv1 is MSCHAPv2 for VPNs and 802.1X. For
  example, PEAP/MSCHAPv2 for wireless network or VPN authentication
  with RADIUS will need this option enabled.

Though there is always the general problem of people not reading
the documentation :(

FreeRADIUS as a MSCHAP client has at least got support for the
nasty MSV1_0_ALLOW_MSVCHAPV2 hack now, so things would be fine
if that makes it in to Samba.



Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the samba-technical mailing list