[Samba] Is 'sec=ntlmsspi' with 'seal' secure over an untrusted network?

Andrew Bartlett abartlet at samba.org
Wed Sep 6 20:57:15 UTC 2023

On Wed, 2023-09-06 at 16:25 +0200, Erik Schulz via samba wrote:
> Hello,
> I'm using a cloud provider's storage solution, which only works with
> SMB,with username/password. I assume the best configuration with
> 'sec=ntlmsspi'and 'seal'.
> But is this secure over an untrusted network? (i.e. to satisfy a
> strictsecurity audit)
> Microsoft states that "NTLMv2 is a little better, since it variable
> lengthand salted hash, but not that much better" (than
> NTLMv1).There's this article that talks about cracking NTLMSSP:
> https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol
> I'm wondering if NTLMSSPI avoids these issues?Or whether `seal`
> encrypts the connection, avoiding leaking any informationin the first
> place? ("The encryption algorithm used is AES-128-CCM"). Orwhether
> the encrypted connection is established later.

The encryption is established after the NTLM completes.  Strong
passwords may make this an acceptable choice.

Kerberos is similar, actually, if you can get to the client/KDC
exchange then a weak user password can be brute forced. 

 This is why Samba 4.19 is significant, as we can claim to be Windows
2012 and have Windows clients use 'Kerberos Armoring' aka 'FAST' (if
you set up the Group Polciies), but this is regarding the AD DC, not
your situation.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead                https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list