[Samba] How to disable NTLM authentication on Samba
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Oct 10 20:30:43 UTC 2018
I used to run classic samba. Since classic samba does not include its
own LDAP or Kerberos servers, those were separate components on the
server. No reason to run sssd on any server. Linux clients used
sssd to authenticate to kerberos. I migrated to an AD domain but
at that point there wasn't any reason to try to bypass sssd- and sssd
does allow for credential caching on linux clients so it is pretty
useful. But at no point is sssd used to provide authentication to
Windows clients nor do I run sssd on samba servers.
On 10/10/18 16:19, Rowland Penny via samba wrote:
> On Wed, 10 Oct 2018 16:07:24 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> How would samba forward any requests on to any other service ?
>> You can have sssd setup on a server if you also need to support
>> things like ssh, sftp, and nfs but that is separate from samba's
>> "Windows" services.
>>
>> Or do you mean it forwards NTLM requests to a different server ?
>>
>>
>> Disabling NTLM altogether would be a useful feature if you are trying
>> to minimize the attack surface.
>>
> smbd used to be able to do authentication, it now passes this to
> winbind.
>
> You should not run winbind with sssd because it has its own winbind
> lib. So, if you are using sssd, you are not using winbind, so how can
> it pass anything to sssd ?
>
> I do not understand why people run sssd with Samba, there is very
> little that sssd can do, that winbind cannot.
>
> As I said, if you run sssd and are having problems, ask the sssd-users
> mailing list first.
>
> Rowland
>
More information about the samba
mailing list