samba - Oct 2018 - How to disable NTLM authentication on Samba

Forgive me if I have misundertood your words, but what I want is to prevent
Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since
SSSD does not support it. I am not trying to get SSSD to support any kind of
NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct?
Putting it in another words: what can I do (preferrably on the Samba server) to
prevent windows clients from successfully sending NTLM authentication to my
Samba server?    Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland
Penny via samba <samba at lists.samba.org> escreveu:
 
 On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:
> 
> How can I make sure that NTLM(SSP) will never be used??
> 
> I’ve set up Samba with SSSD and everything Works fine... except for a
> few Windows machines which every now and then happen to send NTLM
> authentication flags to the Samba server, which happily forwards
> them. And then the authentication fails because SSSD doesn’t support
> NTLM.
> 
> I’ve tried all sorts of parameters combination on smb.conf (including
> "ntlm auth = disabled"), but I didn’t find a way to completely
refuse
> NTLM authentication on the Samba server, and force the client to use
> another authentication method (kerberos).
You will have to ask the sssd-users mailing list, you are not using
Samba for authentication.

sssd isn't a Samba product.

Samba by default no longer uses NTLMv1

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

How would samba forward any requests on to any other service ?       You 
can have sssd setup on a server if you also need to support things like 
ssh, sftp, and nfs but that is separate from samba's "Windows"
services.

Or do you mean it forwards NTLM requests to a different server ?


Disabling NTLM altogether would be a useful feature if you are trying to 
minimize the attack surface.






On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
>   Forgive me if I have misundertood your words, but what I want is to
prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it,
since SSSD does not support it. I am not trying to get SSSD to support any kind
of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that
correct?
> Putting it in another words: what can I do (preferrably on the Samba
server) to prevent windows clients from successfully sending NTLM authentication
to my Samba server?    Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT,
Rowland Penny via samba <samba at lists.samba.org> escreveu:
>   
>   On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:
>
>> How can I make sure that NTLM(SSP) will never be used??
>>
>> I’ve set up Samba with SSSD and everything Works fine... except for a
>> few Windows machines which every now and then happen to send NTLM
>> authentication flags to the Samba server, which happily forwards
>> them. And then the authentication fails because SSSD doesn’t support
>> NTLM.
>>
>> I’ve tried all sorts of parameters combination on smb.conf (including
>> "ntlm auth = disabled"), but I didn’t find a way to
completely refuse
>> NTLM authentication on the Samba server, and force the client to use
>> another authentication method (kerberos).
> You will have to ask the sssd-users mailing list, you are not using
> Samba for authentication.
>
> sssd isn't a Samba product.
>
> Samba by default no longer uses NTLMv1
>
> Rowland
>

On Wed, 10 Oct 2018 16:07:24 -0400
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> How would samba forward any requests on to any other service ?
> You can have sssd setup on a server if you also need to support
> things like ssh, sftp, and nfs but that is separate from samba's
> "Windows" services.
> 
> Or do you mean it forwards NTLM requests to a different server ?
> 
> 
> Disabling NTLM altogether would be a useful feature if you are trying
> to minimize the attack surface.
> 
smbd used to be able to do authentication, it now passes this to
winbind.

You should not run winbind with sssd because it has its own winbind
lib. So, if you are using sssd, you are not using winbind, so how can
it pass anything to sssd ?

I do not understand why people run sssd with Samba, there is very
little that sssd can do, that winbind cannot.

As I said, if you run sssd and are having problems, ask the sssd-users
mailing list first.

Rowland

On Wed, 10 Oct 2018 19:52:41 +0000 (UTC)
Reinaldo Souza Gomes <reinaldosouzagomes at yahoo.com.br> wrote:
>  Forgive me if I have misundertood your words, but what I want is to
> prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and
> forwarding it, since SSSD does not support it. I am not trying to get
> SSSD to support any kind of NTLM. So, this would be a Samba issue,
> not SSSD's. Isn't that correct? Putting it in another words: what
can
> I do (preferrably on the Samba server) to prevent windows clients
> from successfully sending NTLM authentication to my Samba server?
> Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny
> via samba <samba at lists.samba.org> escreveu: On Wed, 10 Oct 2018
> 18:50:23 +0000 (UTC) Reinaldo Souza Gomes via samba
> <samba at lists.samba.org> wrote:
> 
> > 
> > How can I make sure that NTLM(SSP) will never be used??
> > 
Let me put it this way:

Samba isn't forwarding anything to sssd
Samba isn't doing your authentication, sssd is
Your windows clients are talking directly to sssd

This means you need to stop NTLMv1 from your Clients (I hope you
mean NTLMv1, because if you mean all NTLM versions there is a simple
solution, turn off your Windows machines.)

Whatever, this is not a Samba problem.

Rowland

Whenever a client uses kerberos as authentication, it succeeds.
Whenever a client uses NTLM as authentication, it fails (logs bellow) since SSSD
can't support NTLM. Thus my question: what can I do to prevent NTLM from
being used??
[2018/10/09 17:49:29.507046,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)  check_ntlm_password: 
Authentication for user [MYUSER] -> [MYUSER] FAILED with error
NT_STATUS_NO_LOGON_SERVERS, authoritative=1[2018/10/09 17:49:29.507074,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)  Auth:
[SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 17:49:29.507062 -03]
with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [MACHINENAME]
remote host [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host
[ipv4:10.0.0.1:445]  
    Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal via
samba <samba at lists.samba.org> escreveu:
 
 How would samba forward any requests on to any other service ?       You 
can have sssd setup on a server if you also need to support things like 
ssh, sftp, and nfs but that is separate from samba's "Windows"
services.

Or do you mean it forwards NTLM requests to a different server ?


Disabling NTLM altogether would be a useful feature if you are trying to 
minimize the attack surface.






On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
>  Forgive me if I have misundertood your words, but what I want is to
prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it,
since SSSD does not support it. I am not trying to get SSSD to support any kind
of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that
correct?
> Putting it in another words: what can I do (preferrably on the Samba
server) to prevent windows clients from successfully sending NTLM authentication
to my Samba server?    Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT,
Rowland Penny via samba <samba at lists.samba.org> escreveu:
>  
>  On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:
>
>> How can I make sure that NTLM(SSP) will never be used??
>>
>> I’ve set up Samba with SSSD and everything Works fine... except for a
>> few Windows machines which every now and then happen to send NTLM
>> authentication flags to the Samba server, which happily forwards
>> them. And then the authentication fails because SSSD doesn’t support
>> NTLM.
>>
>> I’ve tried all sorts of parameters combination on smb.conf (including
>> "ntlm auth = disabled"), but I didn’t find a way to
completely refuse
>> NTLM authentication on the Samba server, and force the client to use
>> another authentication method (kerberos).
> You will have to ask the sssd-users mailing list, you are not using
> Samba for authentication.
>
> sssd isn't a Samba product.
>
> Samba by default no longer uses NTLMv1
>
> Rowland
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba