Disable "ntlm auth" by default
metze at samba.org
Fri Jul 22 11:09:49 UTC 2016
Am 22.07.2016 um 12:11 schrieb Matthew Newton:
> On Fri, Jul 22, 2016 at 11:36:09AM +0200, Stefan Metzmacher wrote:
>> Am 22.07.2016 um 11:17 schrieb Andrew Bartlett:
>>> On Fri, 2016-07-22 at 10:15 +0200, Stefan Metzmacher wrote:
>>>> here're patches which change the default of the "ntlm auth"
>>>> option from yes to no.
>>> The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. This needs
>>> to be called out in the docs. Ideally we would have a tri-state here
>>> to support this only when the MSV1_0_ALLOW_MSVCHAPV2 flag is specified
>>> by a client.
>> I've added notes regarding "The primary user of NTLMv1 is MSCHAPv2 for
>> VPNs and 802.1x".
> A view from another side...
> There are a lot of people using FreeRADIUS and Samba to
> authenticate (mostly wireless) connections with 802.1X, and it
> comes up on the FR lists quite a lot.
> Disabling NTLMv1 is a good thing, but I'm sure it would be
> appreciated if the notices informing people of this were as clear
> as possible, to save more questions on the list of "why did
> FreeRADIUS break when I upgraded Samba" :-)
> The above is good, but I'm not sure whether people would
> associate it quickly with "upgrading to this Samba will break my
> wireless authentication".
> Is this alternative too long-winded?
> The primary use of NTLMv1 is MSCHAPv2 for VPNs and 802.1X. For
> example, PEAP/MSCHAPv2 for wireless network or VPN authentication
> with RADIUS will need this option enabled.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical