[Samba] Remove LanMan auth from the AD DC and possibly file server?

Jeremy Allison jra at samba.org
Wed Jan 26 16:55:20 UTC 2022


On Wed, Jan 26, 2022 at 12:50:58PM +0100, Björn JACKE via samba wrote:
>On 2022-01-26 at 16:50 +1300 Andrew Bartlett via samba sent off:
>> My feeling is that for the Win9X and OS/2 irrilplacable industrial
>> equipment case, that guest authentication would suffice, combined with
>> 'force user' and 'hosts allow' for 'security'.
>>
>> What do folks think?
>
>my gut feeling is that many users will be very unhappy with such a change. I
>know many setups where the clients say that ntlm auth is still required for
>them and where guest auth would not be an option. Even on AD DCs sometimes. For
>sure on member servers.

Correct me if I'm wrong Andrew, but I think Andrew is not
thinking about removing NTLM, but only the storage of
LM password hashes.

 From the "lanman auth" section of the man page:

This parameter has been deprecated since Samba 4.11 and
support for LanMan (as distinct from NTLM, NTLMv2 or Kerberos
authentication) will be removed in a future Samba release.

Removing the LM password hashes gets a hearty thumbs-up
from me :-).

But I may be miss-reading the original message. Sorry
if I'm just adding to the confusion :-).



More information about the samba mailing list