[Samba] Is NTLMv2 auth possible with security = SERVER ?

Andrew Bartlett abartlet at samba.org
Mon Feb 8 19:02:28 MST 2010


On Tue, 2010-02-09 at 10:47 +1000, Jake Carroll wrote:
> Hi list.
> 
> I've been running up against a bunch of ntlm v2 related issues recently with Windows 7 and Mac OS X 10.6 client systems attempting to connect to my Solaris 10 samba 3.0.37 server. 
> 
> As it turns out, Sun engineering suggest that because I use "security = SERVER" rather than "security = DOMAIN", ntlmv2 auth will never actually work, even if I have settings such as:
> 
> client lanman auth = no
> ntlm auth = no
> client ntlmv2 auth = yes
> 
> So - I guess the question is, is it possible to use ntlmv2 with security = server, or does that fundamentally not make sense? The suggestions engineering have given me suggest it's just not possible and it needs to be running in domain mode to work. Any work arounds/techniques to get around such an issue?

You should never use 'security=server' if there is any other possible
way to authenticate your users.  It is a disgusting man in the middle
attack, that therefore makes important security features go away,
including NTLMv2.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20100209/9f174991/attachment.pgp>


More information about the samba mailing list