[Samba] How to disable NTLM authentication on Samba
Reinaldo Souza Gomes
reinaldosouzagomes at yahoo.com.br
Wed Oct 10 20:38:02 UTC 2018
Whenever a client uses kerberos as authentication, it succeeds.
Whenever a client uses NTLM as authentication, it fails (logs bellow) since SSSD can't support NTLM. Thus my question: what can I do to prevent NTLM from being used??
[2018/10/09 17:49:29.507046, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [MYUSER] -> [MYUSER] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1[2018/10/09 17:49:29.507074, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 17:49:29.507062 -03] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [MACHINENAME] remote host [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host [ipv4:10.0.0.1:445]
Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal via samba <samba at lists.samba.org> escreveu:
How would samba forward any requests on to any other service ? You
can have sssd setup on a server if you also need to support things like
ssh, sftp, and nfs but that is separate from samba's "Windows" services.
Or do you mean it forwards NTLM requests to a different server ?
Disabling NTLM altogether would be a useful feature if you are trying to
minimize the attack surface.
On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
> Forgive me if I have misundertood your words, but what I want is to prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since SSSD does not support it. I am not trying to get SSSD to support any kind of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct?
> Putting it in another words: what can I do (preferrably on the Samba server) to prevent windows clients from successfully sending NTLM authentication to my Samba server? Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org> escreveu:
>
> On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:
>
>> How can I make sure that NTLM(SSP) will never be used??
>>
>> I’ve set up Samba with SSSD and everything Works fine... except for a
>> few Windows machines which every now and then happen to send NTLM
>> authentication flags to the Samba server, which happily forwards
>> them. And then the authentication fails because SSSD doesn’t support
>> NTLM.
>>
>> I’ve tried all sorts of parameters combination on smb.conf (including
>> "ntlm auth = disabled"), but I didn’t find a way to completely refuse
>> NTLM authentication on the Samba server, and force the client to use
>> another authentication method (kerberos).
> You will have to ask the sssd-users mailing list, you are not using
> Samba for authentication.
>
> sssd isn't a Samba product.
>
> Samba by default no longer uses NTLMv1
>
> Rowland
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list