[Samba] getting rid of lmhashes?
Andrew Bartlett
abartlet at samba.org
Tue Mar 7 03:38:58 GMT 2006
On Mon, 2006-03-06 at 21:22 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrew Bartlett wrote:
> > On Thu, 2006-03-02 at 22:50 +0100, Mark Proehl wrote:
> >
> >> I created a patch that introduces a new parameter "disable lanman hash"
> >> (attached).
> >
> > I think this is the correct approach. I've been considering the same
> > for Samba4 (where we also need to consider what kerberos enc types are
> > reasonable).
>
> The only thing about the original patch that made me go
> ughh was the new parameter. Can we piggy back this off
> an existing setting somehow? Perhaps 'lanman auth = no'?
That would be reasonable, and has pro's and cons:
- The admin probably expects that 'lanman auth = no' prevents any work
(storage and authentication) with the LM hash
- But this prevents the admin from storing the hash for the future, in
case he has to back out of the security upgrade (finds win9X machines
back on the network).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060307/e866bfe4/attachment.bin
More information about the samba
mailing list