[Samba] ntlm_auth not returning "STATUS_OK"
Mark Foley
mfoley at novatec-inc.com
Sat Jan 27 17:54:24 UTC 2024
On Sat Jan 27 06:13:11 2024 Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
> On 27-01-2024 11:56, Rowland Penny via samba wrote:
> > On Fri, 26 Jan 2024 22:22:49 -0500
> > Mark Foley via samba<samba at lists.samba.org> wrote:
> >
> >> On Wed Jan 24 05:03:25 2024 Rowland Penny via samba
> >> <samba at lists.samba.org> wrote:
> >>> On Tue, 23 Jan 2024 17:07:35 -0500
> >>> Mark Foley via samba<samba at lists.samba.org> wrote:
> >>>
> >>>> On Mon Jan 22 11:00:59 2024 Mark Foley via samba
> >>>> <samba at lists.samba.org> wrote:
> >>>>> I have scripts that runs ntlm_auth. Before upgrading my DC to
> >>>>> 4.18.9 I would get text string output from the ntlm_auth
> >>>>> command. For example:
> >>>>>
> >>>>> STATUS_NO_SUCH_USER
> >>>>> NT_STATUS_WRONG_PASSWORD
> >>>>> STATUS_OK
> >>>>>
> >>>>> Now with the new Samba, the first two strings are output as
> >>>>> usual in the case of non-existant user and invalid password,
> >>>>> respectively, but if the user/pw is OK it now returns the
> >>>>> string: ": (0x0)", which, I suppose, is the exit status of the
> >>>>> ntlm_auth command meaning OK.
> >>>>>
> >>>> I have never been in favor of developers changing the behavior of
> >>>> programs when "new features" come out, expecially programs that
> >>>> might be used in scripts that rely on responses. I think it's
> >>>> naughty when developers do that.
> >>>>
> >>>>> <snip>
> >>>> --Mark
> >>>>
> >>> Sooner or later, ntlm_auth wil be removed, so if you can find
> >>> another way for your script to do what it is doing now, then you
> >>> may be wise to do so.
> >>> In the meantime, it might be a good idea to log a bug report.
> >>>
> >>> Rowland
> >> The application ntlm_auth is used for is an intranet web application
> >> which is a pension system implemented in HTML, JSP and SQL Server.
> >> User/employees must log in to use this webapp. Rather than maintain
> >> separate app-only credentials, the users can authenticate with their
> >> domain credentials. This is where ntlm_auth comes in.
> >>
> >> I would be very sorry to see ntlm_auth go away. A quick web search
> >> shows I'm not the only one using it. This reinforces my comment about
> >> developers removing longstanding functionality without a compatible
> >> path forward. That places a burden on downstream developers who have
> >> come to rely on functionality.
> > Perhaps when I said ntlm_auth is likely to away, I should have
> > qualified it, so lets do that now:
> >
> > If you set 'ntlm auth = yes', you are actually setting 'ntlm auth =
> > ntlmv1-permitted', which is just about as insecure as you can get.
> > The default (since 4.7.0) is 'ntlm auth = ntlmv2-only', which when it
> > comes to ntlm auth is secure as you can get.
> >
> > However, you can set 'ntlm auth = mschapv2-and-ntlmv2-only', this is
> > required for the ntlm-auth tool.
> >
> > There is some talk of Microsoft moving away from NTLM to Kerberos and
> > if this occurs, Samba will surely have to follow.
>
> A link to an interesting talk from Microsoft engineers about this was
> posted on the samba-technical list some time ago:
> https://www.youtube.com/watch?v=SEtARCtGP0Y <This is worth a watch:
> https://www.youtube.com/watch?v=SEtARCtGP0Y>
Excellent! Thanks. I've already started listening to this (it's an hour+). Once
my DC migration dust settles I'll jump back in and see how I can incorporate
kerberos into my authentication scheme going forward. That's the kind if thing I
need to help me reseach.
Thanks -- Mark
> >
> > Have you considered using Kerberos for authentication ?
> >
> > Rowland
More information about the samba
mailing list