[Samba] NTLMv2, Samba, and Squid

Andrew Bartlett abartlet at samba.org
Tue Sep 11 05:01:47 GMT 2007

On Mon, 2007-09-10 at 11:36 -0300, mups.cp wrote:
> > > min protocol = LANMAN2
> > > max protocol = NT1
> >
> > Why are you setting this?
> I prefer set this values because I force the server to accept only
> secure protocol. Windows protocols earlier than LANMAN2 could be
> easily eavesdropped from the network. LANMAN2 and higher are stronger.

Not really.  Aside from a new experiment with the CIFS posix extensions,
all carry the data in cleartext.  In terms of passwords, 

> I remember from L0pht Crack that attacked this.
> The default 'min protocol' could allows some kind of attack in the network.

If the attacker is 'active', then they could spoof this anyway.  If the
attacker is passive, the clients negotiate the strongest security

For a long time windows clients have refused to send cleartext
passwords.  Samba 3.2.0 will likewise refuse by default.

The message I'm trying to put out is that with Samba 3.0, if you don't
want to sent a password l0phtcrack will enjoy, set either:

client lanman auth = no 

(this will be the default in Samba 3.2)
or if you want NTLMv2, set

client ntlmv2 auth = yes

It is that simple to have Samba more secure, and messing with other
protocol options etc will just bite you later, if we have good reason to
change the defaults. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20070911/42cec796/attachment.bin

More information about the samba mailing list