[Samba] ntlm_auth and SMBv2/v3

Andrew Bartlett abartlet at samba.org
Thu Jun 8 19:36:17 UTC 2017


On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote:
> hai, 
>  
> Please keep it mailing to the list, this way is shows up of others also. 
> A workaround for disabling SMBv1, you can make your server less secure but thats not what i would do. 
> 
> Setting these to enable NTLM v1 again.
> 
> lanman auth = yes

NEVER set this.

> ntlm auth = yes

This enables NTLMv1.  To be clear, this isn't related to SMBv1.  This
is the only change required to re-enable MSCHAPv2.  I plan to create a
ntlm auth = mschapv2-only option (indeed I have been given such a
patch) but I need to finish the test. 

> raw NTLMv2 auth = yes

This only applies to NTLMv2 on SMBv1, and should also NEVER be set for
modern networks.  

I'm mentioning this because Samba folklore grows so quickly, and folks
rapidly paste in whatever setting they find, even if they reduce
security dramatically.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba mailing list