[Samba] Remove LanMan auth from the AD DC and possibly file server?

Patrick Goetz pgoetz at math.utexas.edu
Wed Jan 26 13:55:22 UTC 2022

On 1/25/22 21:50, Andrew Bartlett via samba wrote:
> I'm looking to add a mode to Samba without the NT Hash (for normal
> users, NETLOGON is stuck using it for the secure channel).
> In doing that I have to change the codepaths around password hash
> storage, and it would be simpler if I could first remove lanman auth
> (set and check) from the AD DC first.
> It just makes no sense in 2022.
> As a stretch goal, if I or someone else got bored/stuck-in-lockdown or
> such, it might be great to be consistent to remove it from the whole
> server codebase.
> The parameter 'lanman auth' has been deprecated for some time now.
> My feeling is that for the Win9X and OS/2 irrilplacable industrial
> equipment case, that guest authentication would suffice, combined with
> 'force user' and 'hosts allow' for 'security'.

There are 2 competing issues:

  - Instrumentation equipment running old versions of Windows which 
can't be upgraded

  - Maintaining endless backwards compatibility results in unsustainable 
technical debt and terrible, hard to maintain software.

My solution to dealing with old software that must continue to run is to 
containerize it or run it in a VM, but that doesn't generally work for 
instrumentation equipment, a lot of which still uses things like USB 
hardware dongles.  However it should be possible to run older versions 
of Samba in a container?

In any case, however inappropriate it is for me to offer an opinion, 
maybe it's time to branch?  Create a samba4-legacy branch which only 
gets security patches and otherwise never changes, and a samba4 main 
branch from which old junk is ruthlessly stripped without mercy and 
which is updated to work with the endless Windows updates that break 
things in Samba

In this scenario samba4 main would only work with version of Windows >= 
8.1.  If you have an environment with new and old Windows systems you 
would need to run 2 Samba servers, samba4-legacy and samba4.

BTW, I think (based on hearsay) that the way Microsoft maintains 
backwards compatibility with older Office formats is that MS Word, for 
example, contains big blocks of "black box" code that no one understands 
any more, but which are included to allow users to open old .doc 
documents. Never minding the engineering nightmare this is, from 
experience, this doesn't work very well, and more than once I've had to 
harvest text out of a .doc file which was unreadable by the version of 
MS Word installed on the user's machine.

> What do folks think?
> This would be for Samba 4.17.
> Andrew Bartlett

More information about the samba mailing list