[Samba] Remove LanMan auth from the AD DC and possibly file server?
rpenny at samba.org
Wed Jan 26 17:03:38 UTC 2022
On Wed, 2022-01-26 at 08:55 -0800, Jeremy Allison via samba-technical
> On Wed, Jan 26, 2022 at 12:50:58PM +0100, Björn JACKE via samba
> > On 2022-01-26 at 16:50 +1300 Andrew Bartlett via samba sent off:
> > > My feeling is that for the Win9X and OS/2 irrilplacable
> > > industrial
> > > equipment case, that guest authentication would suffice, combined
> > > with
> > > 'force user' and 'hosts allow' for 'security'.
> > >
> > > What do folks think?
> > my gut feeling is that many users will be very unhappy with such a
> > change. I
> > know many setups where the clients say that ntlm auth is still
> > required for
> > them and where guest auth would not be an option. Even on AD DCs
> > sometimes. For
> > sure on member servers.
> Correct me if I'm wrong Andrew, but I think Andrew is not
> thinking about removing NTLM, but only the storage of
> LM password hashes.
> From the "lanman auth" section of the man page:
> This parameter has been deprecated since Samba 4.11 and
> support for LanMan (as distinct from NTLM, NTLMv2 or Kerberos
> authentication) will be removed in a future Samba release.
> Removing the LM password hashes gets a hearty thumbs-up
> from me :-).
> But I may be miss-reading the original message. Sorry
> if I'm just adding to the confusion :-).
I must be confused as well then, because that is exactly how I read it,
just remove the hashes :-)
More information about the samba-technical