Reinaldo Souza Gomes
2018-Oct-10 19:52 UTC
[Samba] How to disable NTLM authentication on Samba
Forgive me if I have misundertood your words, but what I want is to prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since SSSD does not support it. I am not trying to get SSSD to support any kind of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct? Putting it in another words: what can I do (preferrably on the Samba server) to prevent windows clients from successfully sending NTLM authentication to my Samba server? Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org> escreveu: On Wed, 10 Oct 2018 18:50:23 +0000 (UTC) Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:> > How can I make sure that NTLM(SSP) will never be used?? > > I’ve set up Samba with SSSD and everything Works fine... except for a > few Windows machines which every now and then happen to send NTLM > authentication flags to the Samba server, which happily forwards > them. And then the authentication fails because SSSD doesn’t support > NTLM. > > I’ve tried all sorts of parameters combination on smb.conf (including > "ntlm auth = disabled"), but I didn’t find a way to completely refuse > NTLM authentication on the Samba server, and force the client to use > another authentication method (kerberos).You will have to ask the sssd-users mailing list, you are not using Samba for authentication. sssd isn't a Samba product. Samba by default no longer uses NTLMv1 Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
How would samba forward any requests on to any other service ? You can have sssd setup on a server if you also need to support things like ssh, sftp, and nfs but that is separate from samba's "Windows" services. Or do you mean it forwards NTLM requests to a different server ? Disabling NTLM altogether would be a useful feature if you are trying to minimize the attack surface. On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:> Forgive me if I have misundertood your words, but what I want is to prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since SSSD does not support it. I am not trying to get SSSD to support any kind of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct? > Putting it in another words: what can I do (preferrably on the Samba server) to prevent windows clients from successfully sending NTLM authentication to my Samba server? Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org> escreveu: > > On Wed, 10 Oct 2018 18:50:23 +0000 (UTC) > Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote: > >> How can I make sure that NTLM(SSP) will never be used?? >> >> I’ve set up Samba with SSSD and everything Works fine... except for a >> few Windows machines which every now and then happen to send NTLM >> authentication flags to the Samba server, which happily forwards >> them. And then the authentication fails because SSSD doesn’t support >> NTLM. >> >> I’ve tried all sorts of parameters combination on smb.conf (including >> "ntlm auth = disabled"), but I didn’t find a way to completely refuse >> NTLM authentication on the Samba server, and force the client to use >> another authentication method (kerberos). > You will have to ask the sssd-users mailing list, you are not using > Samba for authentication. > > sssd isn't a Samba product. > > Samba by default no longer uses NTLMv1 > > Rowland >
On Wed, 10 Oct 2018 16:07:24 -0400 Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> How would samba forward any requests on to any other service ? > You can have sssd setup on a server if you also need to support > things like ssh, sftp, and nfs but that is separate from samba's > "Windows" services. > > Or do you mean it forwards NTLM requests to a different server ? > > > Disabling NTLM altogether would be a useful feature if you are trying > to minimize the attack surface. >smbd used to be able to do authentication, it now passes this to winbind. You should not run winbind with sssd because it has its own winbind lib. So, if you are using sssd, you are not using winbind, so how can it pass anything to sssd ? I do not understand why people run sssd with Samba, there is very little that sssd can do, that winbind cannot. As I said, if you run sssd and are having problems, ask the sssd-users mailing list first. Rowland
On Wed, 10 Oct 2018 19:52:41 +0000 (UTC) Reinaldo Souza Gomes <reinaldosouzagomes at yahoo.com.br> wrote:> Forgive me if I have misundertood your words, but what I want is to > prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and > forwarding it, since SSSD does not support it. I am not trying to get > SSSD to support any kind of NTLM. So, this would be a Samba issue, > not SSSD's. Isn't that correct? Putting it in another words: what can > I do (preferrably on the Samba server) to prevent windows clients > from successfully sending NTLM authentication to my Samba server? > Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny > via samba <samba at lists.samba.org> escreveu: On Wed, 10 Oct 2018 > 18:50:23 +0000 (UTC) Reinaldo Souza Gomes via samba > <samba at lists.samba.org> wrote: > > > > > How can I make sure that NTLM(SSP) will never be used?? > >Let me put it this way: Samba isn't forwarding anything to sssd Samba isn't doing your authentication, sssd is Your windows clients are talking directly to sssd This means you need to stop NTLMv1 from your Clients (I hope you mean NTLMv1, because if you mean all NTLM versions there is a simple solution, turn off your Windows machines.) Whatever, this is not a Samba problem. Rowland
Reinaldo Souza Gomes
2018-Oct-10 20:38 UTC
[Samba] How to disable NTLM authentication on Samba
Whenever a client uses kerberos as authentication, it succeeds. Whenever a client uses NTLM as authentication, it fails (logs bellow) since SSSD can't support NTLM. Thus my question: what can I do to prevent NTLM from being used?? [2018/10/09 17:49:29.507046, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [MYUSER] -> [MYUSER] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1[2018/10/09 17:49:29.507074, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 17:49:29.507062 -03] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [MACHINENAME] remote host [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host [ipv4:10.0.0.1:445] Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal via samba <samba at lists.samba.org> escreveu: How would samba forward any requests on to any other service ? You can have sssd setup on a server if you also need to support things like ssh, sftp, and nfs but that is separate from samba's "Windows" services. Or do you mean it forwards NTLM requests to a different server ? Disabling NTLM altogether would be a useful feature if you are trying to minimize the attack surface. On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:> Forgive me if I have misundertood your words, but what I want is to prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since SSSD does not support it. I am not trying to get SSSD to support any kind of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct? > Putting it in another words: what can I do (preferrably on the Samba server) to prevent windows clients from successfully sending NTLM authentication to my Samba server? Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org> escreveu: > > On Wed, 10 Oct 2018 18:50:23 +0000 (UTC) > Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote: > >> How can I make sure that NTLM(SSP) will never be used?? >> >> I’ve set up Samba with SSSD and everything Works fine... except for a >> few Windows machines which every now and then happen to send NTLM >> authentication flags to the Samba server, which happily forwards >> them. And then the authentication fails because SSSD doesn’t support >> NTLM. >> >> I’ve tried all sorts of parameters combination on smb.conf (including >> "ntlm auth = disabled"), but I didn’t find a way to completely refuse >> NTLM authentication on the Samba server, and force the client to use >> another authentication method (kerberos). > You will have to ask the sssd-users mailing list, you are not using > Samba for authentication. > > sssd isn't a Samba product. > > Samba by default no longer uses NTLMv1 > > Rowland >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba