[Samba] Remove LanMan auth from the AD DC and possibly file server?

[Peter Milesson]

On 09.02.2022 10:15, Patrick Goetz via samba wrote:
>
> On 2/8/22 14:48, Rowland Penny via samba wrote:
>>>
>>> Or more likely they're running it in a completely isolated (or DMZ
>>> gatewayed) environment with equipment that can't be upgraded (e.g.
>>> instrumentation control PC's running old versions of Windows which
>>> can't
>>> be upgraded).  That's what we do; there's no good alternative unless
>>> your user has, for example, a million dollars to shell out for a new
>>> machine with new PCs, and even then.  We just got a new 1.5 million
>>> dollar microscope and the control PC is running Windows 2012. \o/
>>
>> If you are paying 1.5 million dollars for something that contains a PC,
>> then it should have been part of the contract that the OS was the
>> latest version.
>>
>
> Hmm, well, yes, but it turns out that the numbers of vendors in some 
> cases is limited to one (so making demands is futile) and this is of 
> no concern whatsoever to the scientists, who are just focused on the 
> quality of images we get out of the system and who make the buying 
> decisions. I mean, they have other concerns. The computational parts 
> of these systems are fairly simple (in my opinion) compared to, for 
> example, sample preparation, which from my perspective is black magic 
> voodoo bedeviled by dragons (and the grad students doing the prep 
> would probably concur).
>
> At least it's not Windows 7, which was the OS on the previous 
> instrumentation PC?  Or allow me to summarize: "just make it work, 
> Patrick."  Why anyone in science uses Windows for anything in 2022 is 
> beyond me.
>
>
>> Rowland
>>
>>
>>
>
Let me chime in here,

Those who are responsible for procurement (machines, buildings, 
construction), are frequently either lax, incompetent, or ignorant. It 
has happened to me on several occasions during the years that I get the 
question, "Why in the ... is there no WiFi connection in the new 
warehouse"? Well, the answer is very simple: No infrastructure. No 
cables. No racks. No plans. Nothing. 20 years ago nobody forgot about a 
few phone lines, but today everybody assumes that wireless connectivity 
is just there automagically. Anybody with some knowledge can figure out 
the implications for themselves.

About ancient operating systems, it's probably something we have got to 
live with. If you purchase a new NC machine today (frequently millions 
of Euros), you can be lucky if the controller has got at least Windows 
8. If it's not explicitly stated in the procurement documents that the 
latest OS should be installed, you get the oldest free license in line 
from the manufacturer. Those machines are in operation for 15-20 years, 
and I haven't yet seen anybody replacing a working controller in a 
machine. To that, the OSes are not even updated. So you have got to live 
with a mix of Windows 2k, XP, 7, 8, 10. An additional concern is the 
complete lack of antivirus systems in those controllers, mostly it isn't 
even possible to install them.

As has been stated here, complete isolation is the way to go. Keep a 
local data server with an ancient Samba version, keep the environment 
isolated, and do not allow ANY incoming internet connections. And above 
all, NO unauthorized flash drives!

This is my world presently, and I have got a feeling it's the normal 
state of things out there. By all means, remove old cruft from future 
Samba releases, making it safer and easier to maintain.

I wish you all a nice day,

Peter