[Samba] authentication issues

Rowland Penny rpenny at samba.org
Fri Mar 9 14:05:11 UTC 2018 

On Fri, 9 Mar 2018 13:47:39 +0000
peter lawrie via samba <samba at lists.samba.org> wrote:

> Hopefully this is a simple problem for a guru to solve.
> 
> I  have been installing Centos / Samba servers for my clients since
> 2004. However, in almost every instance, the linux machine has been
> the only server on site. To begin with I set up the server as a
> domain server but as most of my customers have less than a dozen PCs
> on a single site, the domain seemed to be an overkill so I now tend
> to use the server as a member of a workgroup, and purely as a
> fileserver.
> 
> I installed a centos 5 server for a customer in 2012. As centos 5
> support has ended, I recently persuaded that customer that it was
> time to update their server.
> I set up a new Dell T130 server with centos 7 and the latest
> downloaded samba.
> This was initially done offsite using my own windows 10 pro PC as a
> client, I added all the users and passwords before taking the server
> to site. All PCs on site were running win10 pro, version 1709, and
> previously had been connected to the centos 5 server, with the lanman
> parameters on the PCs modified to suit.
> 
> When I connected the centos 7 server, I noted that PCs logged on as
> any of the users had access to the two shares I had defined but not
> to their personal home directories.
> Once I had completed restoring the data from backup disks, (only to
> the shares) for a reason I still do not understand I lost connection
> to the shares as well.
> I rebuilt smb.conf several times without success, but  when I added "
> ntlm auth = yes " it  worked again and I could access the home
> directories as well. I think I may have downgraded the
> authentication, but the customer is happy.
> 
> Can anyone explain what the issue may have been, the effect of my fix
> and whether I should go back and 'improve' the setup?
> Peter Lawrie

You have just made your customers set up insecure and you really should
go back asap and fix it.

If you read the release notes for 4.5.0, you would find this:

NTLMv1 authentication disabled by default

In order to improve security we have changed the default value for the
"ntlm auth" option from "yes" to "no". This may have impact on very old
clients which doesn't support NTLMv2 yet.

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

By default, Samba will only allow NTLMv2 via NTLMSSP now, as we have
the following default "lanman auth = no", "ntlm auth = no" and "raw
NTLMv2 auth = no". 

You need to get your windows clients to use NTLMv2

rowland

More information about the samba mailing list