Disable "ntlm auth" by default
uri at samba.org
Thu Jul 28 20:07:51 UTC 2016
On 07/28/2016 04:36 PM, Stefan Metzmacher wrote:
> Am 28.07.2016 um 15:12 schrieb Uri Simchoni:
>> On 07/22/2016 11:15 AM, Stefan Metzmacher wrote:
>>> here're patches which change the default of the "ntlm auth"
>>> option from yes to no.
>>> Please review and push:-)
>> Does Windows have such a mode that would accept only NTLMv2-SSP? (the
>> combination of disabling ntlm auth and raw ntlmv2) They don't seem to
>> make the distinction between "raw" and SSP in their docs...
> I don't know about the options.
> But raw ntlmv2 is completely disabled for quite some time without an option.
There's LMCompatibilityLevel under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa (also settable
via group policy and whatnot). Setting it to 5 should cause the server
to refuse NTLM but in my testing, one machine (Win7) accepted NTLM and
with another (2012R2) the setting gets reset across reboot.
More information about the samba-technical