NTLMv1 authentication works even though it is disabled

Andrew Bartlett abartlet at samba.org
Tue Aug 28 19:25:26 UTC 2018

On Tue, 2018-08-28 at 07:03 -0500, shivappa Sangapur via samba-
technical wrote:
> CVE-2018-1139 seems to be using NTLMv1 auth only if NTLM_AUTH_ON is
> enabled,
> that means ntlm auth=yes is set in smb.conf. (by default ntlmv1 is
> disabled
> from samba4.5)
> I'm running samba-4.7.4.
> I have observed a strange thing. Is it an expected behavior ? I don't
> think
> so.
> Set *client NTLMv2 auth=No*, *ntlm auth=Yes* in smb.conf file.
> In Windows 7 set LAN Auth Level as *'Send NTLMv2, Refuse LM and NTLM'
> *. 
> Connect to Windows 7 share using smbclient command with *-mNT1*
> option from
> samba-4.7.4,
> Actually it should not connect, Since NTLM is disabled in Windows 7,
> But the smbclient is connecting to Windows 7 shares.
> Vice-versa also works (that is connect samba-4.7.4 shares from
> Windows 7)
> Above behavior is same before CVE-2018-1139 fix also.
> Any idea why so ?

This bug is about the server, not the client behaviour.  If your
Windows 7 is permitting NTLMv1 connections that is Microsoft's problem,
not ours, unless this is in a Samba AD domain, using a Samba AD

I think a different policy setting is controlling if Windows 7 is
accepting NTLM authentication, that one is about sending it (as a

Sorry for any confusion.

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list