[Samba] NTLMv2, Samba, and Squid
mups.cp
mups.cp at gmail.com
Tue Sep 11 12:20:35 GMT 2007
Thanks by the points.
On 9/11/07, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2007-09-10 at 11:36 -0300, mups.cp wrote:
> > > > min protocol = LANMAN2
> > > > max protocol = NT1
> > >
> > > Why are you setting this?
> >
> > I prefer set this values because I force the server to accept only
> > secure protocol. Windows protocols earlier than LANMAN2 could be
> > easily eavesdropped from the network. LANMAN2 and higher are stronger.
>
> Not really. Aside from a new experiment with the CIFS posix extensions,
> all carry the data in cleartext. In terms of passwords,
>
> > I remember from L0pht Crack that attacked this.
> > The default 'min protocol' could allows some kind of attack in the network.
>
> If the attacker is 'active', then they could spoof this anyway. If the
> attacker is passive, the clients negotiate the strongest security
> anyway.
>
> For a long time windows clients have refused to send cleartext
> passwords. Samba 3.2.0 will likewise refuse by default.
>
> The message I'm trying to put out is that with Samba 3.0, if you don't
> want to sent a password l0phtcrack will enjoy, set either:
>
> client lanman auth = no
>
> (this will be the default in Samba 3.2)
> or if you want NTLMv2, set
>
> client ntlmv2 auth = yes
>
> It is that simple to have Samba more secure, and messing with other
> protocol options etc will just bite you later, if we have good reason to
> change the defaults.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Red Hat Inc.
>
>
More information about the samba
mailing list