[Samba] ntlm_auth and SMBv2/v3

Arnab Roy arniekol at gmail.com
Tue Oct 17 14:34:01 UTC 2017


I think something needs to happen on this. The guys at freeradius is
pushing this back as a samba issue.

I know of some commercial radius vendors who have done mschapv2 over DCERPC
over tcp135 and higher ports rather than using ntlm. Not entirely sure of
the mechanisms.

Thanks
Arnab

On 17 Oct 2017 2:10 pm, "Lulzim KELMENI via samba" <samba at lists.samba.org>
wrote:

>
>
> Hello Andrew,
>
> Do you plan to release the patch for "ntlm auth =
> mschapv2-only" option soon ?
> We need this on order to use freeradius in
> a "more safe" scenario than with "ntlm auth = yes"
>
> Best
> Regard,
>
> Lulzim KELMENI
> Direction des Systèmes d'Information
> Mairie de
> Saint-Ouen
>
> Le 08/06/2017 21:36, Andrew Bartlett via samba a écrit :
>
> >
> On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote:
> >
>
> >> hai, Please keep it mailing to the list, this way is shows up of
> others also. A workaround for disabling SMBv1, you can make your server
> less secure but thats not what i would do. Setting these to enable NTLM
> v1 again. lanman auth = yes
> >
> > NEVER set this.
> >
> >> ntlm auth = yes
> >
>
> > This enables NTLMv1. To be clear, this isn't related to SMBv1. This
> >
> is the only change required to re-enable MSCHAPv2. I plan to create a
> >
> ntlm auth = mschapv2-only option (indeed I have been given such a
> >
> patch) but I need to finish the test.
> > raw NTLMv2 aut
> >
> >> n networks.
> I'm menti
> > cause Samba folklore grows so quickly, and folks rapidly
> paste in whatever setting they find, even if they reduce security
> dramatically. Thanks, Andrew Bartlett -- Andrew Bartlett
> http://samba.org/~abartlet/ [1] Authentication Developer, Samba Team
> http://samba.org [2] Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba [3]
>
>
> Links:
> ------
> [1]
> http://samba.org/~abartlet/
> [2] http://samba.org
> [3]
> http://catalyst.net.nz/services/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list