[Samba] How to disable NTLM authentication on Samba

[Gaiseric Vandal]

How would samba forward any requests on to any other service ?       You 
can have sssd setup on a server if you also need to support things like 
ssh, sftp, and nfs but that is separate from samba's "Windows" services.

Or do you mean it forwards NTLM requests to a different server ?


Disabling NTLM altogether would be a useful feature if you are trying to 
minimize the attack surface.






On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
>   Forgive me if I have misundertood your words, but what I want is to prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since SSSD does not support it. I am not trying to get SSSD to support any kind of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct?
> Putting it in another words: what can I do (preferrably on the Samba server) to prevent windows clients from successfully sending NTLM authentication to my Samba server?    Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org> escreveu:
>   
>   On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:
>
>> How can I make sure that NTLM(SSP) will never be used??
>>
>> I’ve set up Samba with SSSD and everything Works fine... except for a
>> few Windows machines which every now and then happen to send NTLM
>> authentication flags to the Samba server, which happily forwards
>> them. And then the authentication fails because SSSD doesn’t support
>> NTLM.
>>
>> I’ve tried all sorts of parameters combination on smb.conf (including
>> "ntlm auth = disabled"), but I didn’t find a way to completely refuse
>> NTLM authentication on the Samba server, and force the client to use
>> another authentication method (kerberos).
> You will have to ask the sssd-users mailing list, you are not using
> Samba for authentication.
>
> sssd isn't a Samba product.
>
> Samba by default no longer uses NTLMv1
>
> Rowland
>