[Samba] ntlm_auth and SMBv2/v3

Arnab Roy arniekol at gmail.com
Thu Jun 8 18:42:37 UTC 2017 

Hi Louis,

Freeradius needs to check mschap hash via AD , I raised this already and it
would appear the way forward would be for ntlm_auth to natively support
NTLMv2 which will than resolve this issue for good. I will post this in the
dev thread and see what they have to say.

Thanks again for your help.

Arnab

On Thu, Jun 8, 2017 at 2:30 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:

> hai,
>
> Please keep it mailing to the list, this way is shows up of others also.
> A workaround for disabling SMBv1, you can make your server less secure but
> thats not what i would do.
>
> Setting these to enable NTLM v1 again.
>
> lanman auth = yes
> ntlm auth = yes
> raw NTLMv2 auth = yes
> I think also this is more a question for the free raduis list, but i would
> to for a ldap(s) setup.
> just dont mixup these to : start_tls and tls_mode to connect to port
> 636 on a samba AD DC, you need :
> start_tls=no and tls_mode = yes
>
> My preffered auth order if the app allows it.
> kerberos
> ldap(s)
> ntlm as last resort.
>
> Best regards,
>
> Louis
>
>
>
>
> ------------------------------
> *Van:* Arnab Roy [mailto:arniekol at gmail.com]
> *Verzonden:* donderdag 8 juni 2017 15:07
> *Aan:* L.P.H. van Belle
> *Onderwerp:* Re: [Samba] ntlm_auth and SMBv2/v3
>
> Are their any plans finding a work around for this..as their tremendous
> amount of security paranoia related to smbv1 now...
>
> On 8 Jun 2017 13:54, "L.P.H. van Belle via samba" <samba at lists.samba.org>
> wrote:
>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Arnab Roy via samba
>> > Verzonden: donderdag 8 juni 2017 14:23
>> > Aan: samba at lists.samba.org
>> > Onderwerp: [Samba] ntlm_auth and SMBv2/v3
>> >
>> > Hi ,
>> >
>> > I just need some clarification ;
>> >
>> > We currently use ntlm_auth + winbind for AD auth on
>> > Freeradius, will disabling SMBv1 break authentication for
>> > ntlm_auth + Freeradius ?
>>
>> Yes
>>
>> >
>> > Many Thanks
>> > Arnab
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list