[Samba] getting rid of lmhashes?

Andrew Bartlett abartlet at samba.org
Tue Mar 7 03:38:58 GMT 2006

On Mon, 2006-03-06 at 21:22 -0600, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Andrew Bartlett wrote:
> > On Thu, 2006-03-02 at 22:50 +0100, Mark Proehl wrote:
> > 
> >> I created a patch that introduces a new parameter "disable lanman hash"
> >> (attached). 
> > 
> > I think this is the correct approach.  I've been considering the same
> > for Samba4 (where we also need to consider what kerberos enc types are
> > reasonable).
> The only thing about the original patch that made me go
> ughh was the new parameter.  Can we piggy back this off
> an existing setting somehow?  Perhaps 'lanman auth = no'?

That would be reasonable, and has pro's and cons:
 - The admin probably expects that 'lanman auth = no' prevents any work
(storage and authentication) with the LM hash
 - But this prevents the admin from storing the hash for the future, in
case he has to back out of the security upgrade (finds win9X machines
back on the network).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060307/e866bfe4/attachment.bin

More information about the samba mailing list