[Samba] Remove LanMan auth from the AD DC and possibly file server?
Andrew Bartlett
abartlet at samba.org
Wed Jan 26 18:00:18 UTC 2022
On Wed, 2022-01-26 at 08:55 -0800, Jeremy Allison via samba wrote:
> On Wed, Jan 26, 2022 at 12:50:58PM +0100, Björn JACKE via samba
> wrote:
> > On 2022-01-26 at 16:50 +1300 Andrew Bartlett via samba sent off:
> > > My feeling is that for the Win9X and OS/2 irrilplacable
> > > industrial
> > > equipment case, that guest authentication would suffice, combined
> > > with
> > > 'force user' and 'hosts allow' for 'security'.
> > >
> > > What do folks think?
> >
> > my gut feeling is that many users will be very unhappy with such a
> > change. I
> > know many setups where the clients say that ntlm auth is still
> > required for
> > them and where guest auth would not be an option. Even on AD DCs
> > sometimes. For
> > sure on member servers.
>
> Correct me if I'm wrong Andrew, but I think Andrew is not
> thinking about removing NTLM, but only the storage of
> LM password hashes.
>
> From the "lanman auth" section of the man page:
>
> This parameter has been deprecated since Samba 4.11 and
> support for LanMan (as distinct from NTLM, NTLMv2 or Kerberos
> authentication) will be removed in a future Samba release.
>
> Removing the LM password hashes gets a hearty thumbs-up
> from me :-).
That's exactly what I mean.
> But I may be miss-reading the original message. Sorry
> if I'm just adding to the confusion :-).
No, you got my meaning perfectly. Even for Win9X there is, from
memory, some strange update to make it do 'raw NTLMv2', instead of LM.
I really think we should be able to ditch this, ideally across the
codebase but certainly in the AD DC, in 2022.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba-technical
mailing list