Disable "ntlm auth" by default

Stefan Metzmacher metze at samba.org
Fri Jul 22 11:09:49 UTC 2016

Am 22.07.2016 um 12:11 schrieb Matthew Newton:
> Hi,
> On Fri, Jul 22, 2016 at 11:36:09AM +0200, Stefan Metzmacher wrote:
>> Am 22.07.2016 um 11:17 schrieb Andrew Bartlett:
>>> On Fri, 2016-07-22 at 10:15 +0200, Stefan Metzmacher wrote:
>>>> here're patches which change the default of the "ntlm auth"
>>>> option from yes to no.
>>> The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.  This needs
>>> to be called out in the docs.  Ideally we would have a tri-state here
>>> to support this only when the MSV1_0_ALLOW_MSVCHAPV2 flag is specified
>>> by a client. 
>> I've added notes regarding "The primary user of NTLMv1 is MSCHAPv2 for
>> VPNs and 802.1x".
> A view from another side...
> There are a lot of people using FreeRADIUS and Samba to
> authenticate (mostly wireless) connections with 802.1X, and it
> comes up on the FR lists quite a lot.
> Disabling NTLMv1 is a good thing, but I'm sure it would be
> appreciated if the notices informing people of this were as clear
> as possible, to save more questions on the list of "why did
> FreeRADIUS break when I upgraded Samba" :-)
> The above is good, but I'm not sure whether people would
> associate it quickly with "upgrading to this Samba will break my
> wireless authentication".
> Is this alternative too long-winded?
>   The primary use of NTLMv1 is MSCHAPv2 for VPNs and 802.1X. For
>   example, PEAP/MSCHAPv2 for wireless network or VPN authentication
>   with RADIUS will need this option enabled.

Thanks! added.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160722/86efaf69/signature.sig>

More information about the samba-technical mailing list