[Samba] possible to deactivate pre-authentification on the Linux (or windows)- Please help

Andrew Bartlett abartlet at samba.org
Thu Mar 31 22:56:23 MDT 2011


On Tue, 2011-03-15 at 19:44 -0500, Rob Townley wrote:

> i wonder if it would be better to attempt a reset of the machine
> account password from AD, then setting DONT_REQ_PREAUTH.
> 
> You can change it via adsiedit or adexplorer.exe
> DONT_REQ_PREAUTH
> 
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B305144
> ms-DS-User-Account-Control-Computed
> 
> p.s. i typed this 5 days ago and just found it was not sent.

Please do not set this setting.  It will further compromise the security
of your AD domain, because it means that any un-authenticated user can
request the current time encrypted with the account's password, allowing
an offline attack.  It should not ever be set in my view. 

The reason the unix clients attempt a login without pre-authentication
is to obtain the salt returned in the reply.  It should not be regarded
as an error. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.



More information about the samba mailing list