[Samba] Advice regarding pre-authentication (was: Re: Kerberos authentication issue after upgrading from 4-14-stable to 4-15-stable)

Andrew Bartlett abartlet at samba.org
Tue Feb 1 00:00:49 UTC 2022

On Wed, 2022-01-26 at 21:00 +0100, Stefan Kania via samba wrote:
> As I told you before, I only use it with openldap together with
> MIT-Kerberos and there you disable preauth on the kerberos server in
> kdc.conf I never did it on a Samba-DC.

Just looping back on this.  NEVER disable pre-authentication.

While for a service account with a strong random password it won't make
a difference (the value protected by pre-authentication is just the
same as the one tickets are encrypted to), this is a bad idea

Pre-authentication prevents offline password guessing attacks against a
user's account, and should not be disabled.

I make a point of this as Samba lore is strong, and ideas get copied
around without full context and understanding of the consequences.


Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list