[Samba] Remove LanMan auth from the AD DC and possibly file server?

Andrew Bartlett abartlet at samba.org
Tue Feb 8 05:02:15 UTC 2022


On Mon, 2022-02-07 at 09:17 -0800, Jeremy Allison via samba wrote:
> On Mon, Feb 07, 2022 at 06:06:34PM +0100, Björn JACKE wrote:
> > On 2022-01-27 at 07:00 +1300 Andrew Bartlett via samba-technical
> > sent off:
> > > No, you got my meaning perfectly.  Even for Win9X there is, from
> > > memory, some strange update to make it do 'raw NTLMv2', instead
> > > of LM.
> > > 
> > > I really think we should be able to ditch this, ideally across
> > > the
> > > codebase but certainly in the AD DC, in 2022.
> > 
> > okay, with the AD DC I agree, I think we can remove it there.
> > 
> > For local SAM's users I would vote to keep LM hashes supported
> > until we ditch
> > SMB1 anyway in the not so far future. There are really still people
> > relying on
> > this.
> 
> Only if this is easy to do in refactoring. If it's going to
> be hard to keep them, I vote to remove them and ask such
> users to go to guest authentication.
> 
> At this point there's no difference in security between
> LM hashes and guest authentication.

It would mean we could remove the actual password checking code, and
avoid having inconsistent behaviour where 'lanman auth' is a valid, but
now ignored, parameter. 

This is the primary benefit.

The lesser benefit comes to avoiding having member-server codepaths
without the matching AD DC codepath (but the NT4 DC code could step in
here to an extent).

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions




More information about the samba mailing list