[Samba] Remove LanMan auth from the AD DC and possibly file server?

Andrew Bartlett abartlet at samba.org
Wed Jan 26 03:50:25 UTC 2022

I'm looking to add a mode to Samba without the NT Hash (for normal
users, NETLOGON is stuck using it for the secure channel).

In doing that I have to change the codepaths around password hash
storage, and it would be simpler if I could first remove lanman auth
(set and check) from the AD DC first.

It just makes no sense in 2022.

As a stretch goal, if I or someone else got bored/stuck-in-lockdown or
such, it might be great to be consistent to remove it from the whole
server codebase.  

The parameter 'lanman auth' has been deprecated for some time now.  

My feeling is that for the Win9X and OS/2 irrilplacable industrial
equipment case, that guest authentication would suffice, combined with
'force user' and 'hosts allow' for 'security'.

What do folks think?

This would be for Samba 4.17.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list