[Samba] Is 'sec=ntlmsspi' with 'seal' secure over an untrusted network?

Erik Schulz erikschulz184 at gmail.com
Wed Sep 6 14:25:42 UTC 2023


Hello,

I'm using a cloud provider's storage solution, which only works with SMB,
with username/password. I assume the best configuration with 'sec=ntlmsspi'
and 'seal'.

But is this secure over an untrusted network? (i.e. to satisfy a strict
security audit)

Microsoft states that "NTLMv2 is a little better, since it variable length
and salted hash, but not that much better" (than NTLMv1).
There's this article that talks about cracking NTLMSSP:
https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol

I'm wondering if NTLMSSPI avoids these issues?
Or whether `seal` encrypts the connection, avoiding leaking any information
in the first place? ("The encryption algorithm used is AES-128-CCM"). Or
whether the encrypted connection is established later.

Thanks for any thoughts on this!

Kind regards
Erik


More information about the samba mailing list