NTLMv1 authentication works even though it is disabled
Andrew Bartlett
abartlet at samba.org
Tue Aug 28 19:25:26 UTC 2018
On Tue, 2018-08-28 at 07:03 -0500, shivappa Sangapur via samba-
technical wrote:
> CVE-2018-1139 seems to be using NTLMv1 auth only if NTLM_AUTH_ON is
> enabled,
> that means ntlm auth=yes is set in smb.conf. (by default ntlmv1 is
> disabled
> from samba4.5)
> I'm running samba-4.7.4.
> I have observed a strange thing. Is it an expected behavior ? I don't
> think
> so.
> Set *client NTLMv2 auth=No*, *ntlm auth=Yes* in smb.conf file.
> In Windows 7 set LAN Auth Level as *'Send NTLMv2, Refuse LM and NTLM'
> *.
> Connect to Windows 7 share using smbclient command with *-mNT1*
> option from
> samba-4.7.4,
> Actually it should not connect, Since NTLM is disabled in Windows 7,
> But the smbclient is connecting to Windows 7 shares.
>
> Vice-versa also works (that is connect samba-4.7.4 shares from
> Windows 7)
>
> Above behavior is same before CVE-2018-1139 fix also.
> Any idea why so ?
This bug is about the server, not the client behaviour. If your
Windows 7 is permitting NTLMv1 connections that is Microsoft's problem,
not ours, unless this is in a Samba AD domain, using a Samba AD
account.
I think a different policy setting is controlling if Windows 7 is
accepting NTLM authentication, that one is about sending it (as a
client).
Sorry for any confusion.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list