[Samba] ntlm_auth not returning "STATUS_OK"

Kees van Vloten keesvanvloten at gmail.com
Sat Jan 27 11:12:39 UTC 2024


On 27-01-2024 11:56, Rowland Penny via samba wrote:
> On Fri, 26 Jan 2024 22:22:49 -0500
> Mark Foley via samba<samba at lists.samba.org>  wrote:
>
>> On Wed Jan 24 05:03:25 2024 Rowland Penny via samba
>> <samba at lists.samba.org>  wrote:
>>> On Tue, 23 Jan 2024 17:07:35 -0500
>>> Mark Foley via samba<samba at lists.samba.org>  wrote:
>>>
>>>> On Mon Jan 22 11:00:59 2024 Mark Foley via samba
>>>> <samba at lists.samba.org>  wrote:
>>>>> I have scripts that runs ntlm_auth. Before upgrading my DC to
>>>>> 4.18.9 I would get text string output from the ntlm_auth
>>>>> command. For example:
>>>>>
>>>>> STATUS_NO_SUCH_USER
>>>>> NT_STATUS_WRONG_PASSWORD
>>>>> STATUS_OK
>>>>>
>>>>> Now with the new Samba, the first two strings are output as
>>>>> usual in the case of non-existant user and invalid password,
>>>>> respectively, but if the user/pw is OK it now returns the
>>>>> string: ":  (0x0)", which, I suppose, is the exit status of the
>>>>> ntlm_auth command meaning OK.
>>>>>
>>>> I have never been in favor of developers changing the behavior of
>>>> programs when "new features" come out, expecially programs that
>>>> might be used in scripts that rely on responses.  I think it's
>>>> naughty when developers do that.
>>>>
>>>>> <snip>
>>>> --Mark
>>>>
>>> Sooner or later, ntlm_auth wil be removed, so if you can find
>>> another way for your script to do what it is doing now, then you
>>> may be wise to do so.
>>> In the meantime, it might be a good idea to log a bug report.
>>>
>>> Rowland
>> The application ntlm_auth is used for is an intranet web application
>> which is a pension system implemented in HTML, JSP and SQL Server.
>> User/employees must log in to use this webapp. Rather than maintain
>> separate app-only credentials, the users can authenticate with their
>> domain credentials. This is where ntlm_auth comes in.
>>
>> I would be very sorry to see ntlm_auth go away. A quick web search
>> shows I'm not the only one using it. This reinforces my comment about
>> developers removing longstanding functionality without a compatible
>> path forward. That places a burden on downstream developers who have
>> come to rely on functionality.
> Perhaps when I said ntlm_auth is likely to away, I should have
> qualified it, so lets do that now:
>
> If you set 'ntlm auth = yes', you are actually setting 'ntlm auth =
> ntlmv1-permitted', which is just about as insecure as you can get.
> The default (since 4.7.0) is 'ntlm auth = ntlmv2-only', which when it
> comes to ntlm auth is secure as you can get.
>
> However, you can set 'ntlm auth = mschapv2-and-ntlmv2-only', this is
> required for the ntlm-auth tool.
>
> There is some talk of Microsoft moving away from NTLM to Kerberos and
> if this occurs, Samba will surely have to follow.

A link to an interesting talk from Microsoft engineers about this was 
posted on the samba-technical list some time ago: 
https://www.youtube.com/watch?v=SEtARCtGP0Y <This is worth a watch: 
https://www.youtube.com/watch?v=SEtARCtGP0Y>

>
> Have you considered using Kerberos for authentication ?
>
> Rowland
>


More information about the samba mailing list