samba - Oct 2018 - How to disable NTLM authentication on Samba

Whenever a client uses kerberos as authentication, it succeeds.
Whenever a client uses NTLM as authentication, it fails (logs bellow) since SSSD
can't support NTLM. Thus my question: what can I do to prevent NTLM from
being used??
[2018/10/09 17:49:29.507046,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)  check_ntlm_password: 
Authentication for user [MYUSER] -> [MYUSER] FAILED with error
NT_STATUS_NO_LOGON_SERVERS, authoritative=1[2018/10/09 17:49:29.507074,  2]
../auth/auth_log.c:760(log_authentication_event_human_readable)  Auth:
[SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 17:49:29.507062 -03]
with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [MACHINENAME]
remote host [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host
[ipv4:10.0.0.1:445]  
    Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal via
samba <samba at lists.samba.org> escreveu:
 
 How would samba forward any requests on to any other service ?       You 
can have sssd setup on a server if you also need to support things like 
ssh, sftp, and nfs but that is separate from samba's "Windows"
services.

Or do you mean it forwards NTLM requests to a different server ?


Disabling NTLM altogether would be a useful feature if you are trying to 
minimize the attack surface.






On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
>  Forgive me if I have misundertood your words, but what I want is to
prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it,
since SSSD does not support it. I am not trying to get SSSD to support any kind
of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that
correct?
> Putting it in another words: what can I do (preferrably on the Samba
server) to prevent windows clients from successfully sending NTLM authentication
to my Samba server?    Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT,
Rowland Penny via samba <samba at lists.samba.org> escreveu:
>  
>  On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:
>
>> How can I make sure that NTLM(SSP) will never be used??
>>
>> I’ve set up Samba with SSSD and everything Works fine... except for a
>> few Windows machines which every now and then happen to send NTLM
>> authentication flags to the Samba server, which happily forwards
>> them. And then the authentication fails because SSSD doesn’t support
>> NTLM.
>>
>> I’ve tried all sorts of parameters combination on smb.conf (including
>> "ntlm auth = disabled"), but I didn’t find a way to
completely refuse
>> NTLM authentication on the Samba server, and force the client to use
>> another authentication method (kerberos).
> You will have to ask the sssd-users mailing list, you are not using
> Samba for authentication.
>
> sssd isn't a Samba product.
>
> Samba by default no longer uses NTLMv1
>
> Rowland
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Wed, 10 Oct 2018 20:38:02 +0000 (UTC)
Reinaldo Souza Gomes via samba <samba at lists.samba.org> wrote:
>  Whenever a client uses kerberos as authentication, it succeeds.
> Whenever a client uses NTLM as authentication, it fails (logs bellow)
> since SSSD can't support NTLM. Thus my question: what can I do to
> prevent NTLM from being used?? [2018/10/09 17:49:29.507046,
> 2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
> check_ntlm_password:  Authentication for user [MYUSER] -> [MYUSER]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS,

The NTLM request isn't coming from Samba, so how can it be anything to
do with Samba ????

Stop your clients from using NTLM, this will fix it.

I think you will find that trying to turn all NTLM off isn't really
feasible and you only really need to stop your clients using NTLMv1

Rowland

I must be missing something-


Are these Windows clients?  Or are these Linux clients authenticating 
against Samba ?


if they were linux clients then yes I could see sssd or other 
authentication components besides winbind coming into play. And in that 
case yes you would have sssd work with winbind to enable caching of 
credentials.


Is the event log entry below from the server ?   Is it from the domain 
controller or a file server?


What version of Samba are you running?

Are the files servers and domain controllers all Samba or do you have a 
mix of say Samba file servers with Windows AD servers?

The "no logon server" entry looks more relevant.      What version of 
Windows clients.        I think NTLMv2 is supported as far back as NT 
4.0 SP6.         Windows 2000 and later should be trying to use kerberos 
in preference to NTLM.   By chance have you disabled NTLMv2 and only 
enabled v1?      Are some windows clients failing while others succeeding ?








On 10/10/18 16:38, Reinaldo Souza Gomes wrote:
> Whenever a client uses kerberos as authentication, it succeeds.
>
> Whenever a client uses NTLM as authentication, it fails (logs bellow) 
> since SSSD can't support NTLM. Thus my question: what can I do to 
> prevent NTLM from being used??
>
> [2018/10/09 17:49:29.507046,  2] 
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [MYUSER] -> [MYUSER] 
> FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
> [2018/10/09 17:49:29.507074,  2] 
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 
> 17:49:29.507062 -03] with [NTLMv2] status 
> [*NT_STATUS_NO_LOGON_SERVERS*] workstation [MACHINENAME] remote host 
> [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host 
> [ipv4:10.0.0.1:445]
>
> Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal 
> via samba <samba at lists.samba.org> escreveu:
>
>
> How would samba forward any requests on to any other service ?       You
> can have sssd setup on a server if you also need to support things like
> ssh, sftp, and nfs but that is separate from samba's
"Windows" services.
>
> Or do you mean it forwards NTLM requests to a different server ?
>
>
> Disabling NTLM altogether would be a useful feature if you are trying to
> minimize the attack surface.
>
>
>
>
>
>
> On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
> >  Forgive me if I have misundertood your words, but what I want is to 
> prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and 
> forwarding it, since SSSD does not support it. I am not trying to get 
> SSSD to support any kind of NTLM. So, this would be a Samba issue, not 
> SSSD's. Isn't that correct?
> > Putting it in another words: what can I do (preferrably on the Samba 
> server) to prevent windows clients from successfully sending NTLM 
> authentication to my Samba server?    Em quarta-feira, 10 de outubro 
> de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org 
> <mailto:samba at lists.samba.org>> escreveu:
> >
> >  On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> > Reinaldo Souza Gomes via samba <samba at lists.samba.org 
> <mailto:samba at lists.samba.org>> wrote:
> >
> >> How can I make sure that NTLM(SSP) will never be used??
> >>
> >> I’ve set up Samba with SSSD and everything Works fine... except
for a
> >> few Windows machines which every now and then happen to send NTLM
> >> authentication flags to the Samba server, which happily forwards
> >> them. And then the authentication fails because SSSD doesn’t
support
> >> NTLM.
> >>
> >> I’ve tried all sorts of parameters combination on smb.conf
(including
> >> "ntlm auth = disabled"), but I didn’t find a way to
completely refuse
> >> NTLM authentication on the Samba server, and force the client to
use
> >> another authentication method (kerberos).
> > You will have to ask the sssd-users mailing list, you are not using
> > Samba for authentication.
> >
> > sssd isn't a Samba product.
> >
> > Samba by default no longer uses NTLMv1
> >
> > Rowland
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

The domain controler is Windows. The file Server is Linux/Samba. The clients are
Windows.
I've tested the access on a dozen different windows machines. Three of them
used NTLM and failed. All the others used kerberos and succeeded. They're
all in the same network, same domain. Maybe it's the windows version? But
they're all Window 8 or 10, not a great deal of a difference between them.
Those logs are from the Samba server, upon receiving the NTLM authentication
attempt.Smbd is version 4.7.1 on CentOS 7.5
I've tried a lot of different configurations regarding NTLM on the Samba
server. Currently, they're like this:
client NTLMv2 auth = noclient lanman auth = nontlm auth = disabledlanman auth =
no
I thought there could be a way of telling the windows machines something like
"Hey, I'm not accepting any kind of NTLM. If you want to access this
Samba server, use kerberos!". But I can't find it.    Em quarta-feira,
10 de outubro de 2018 18:13:54 BRT, Gaiseric Vandal via samba <samba at
lists.samba.org> escreveu:
 
 I must be missing something-


Are these Windows clients?  Or are these Linux clients authenticating 
against Samba ?


if they were linux clients then yes I could see sssd or other 
authentication components besides winbind coming into play. And in that 
case yes you would have sssd work with winbind to enable caching of 
credentials.


Is the event log entry below from the server ?   Is it from the domain 
controller or a file server?


What version of Samba are you running?

Are the files servers and domain controllers all Samba or do you have a 
mix of say Samba file servers with Windows AD servers?

The "no logon server" entry looks more relevant.      What version of 
Windows clients.        I think NTLMv2 is supported as far back as NT 
4.0 SP6.         Windows 2000 and later should be trying to use kerberos 
in preference to NTLM.   By chance have you disabled NTLMv2 and only 
enabled v1?      Are some windows clients failing while others succeeding ?








On 10/10/18 16:38, Reinaldo Souza Gomes wrote:
> Whenever a client uses kerberos as authentication, it succeeds.
>
> Whenever a client uses NTLM as authentication, it fails (logs bellow) 
> since SSSD can't support NTLM. Thus my question: what can I do to 
> prevent NTLM from being used??
>
> [2018/10/09 17:49:29.507046,  2] 
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [MYUSER] -> [MYUSER] 
> FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
> [2018/10/09 17:49:29.507074,  2] 
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 
> 17:49:29.507062 -03] with [NTLMv2] status 
> [*NT_STATUS_NO_LOGON_SERVERS*] workstation [MACHINENAME] remote host 
> [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host 
> [ipv4:10.0.0.1:445]
>
> Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal 
> via samba <samba at lists.samba.org> escreveu:
>
>
> How would samba forward any requests on to any other service ?       You
> can have sssd setup on a server if you also need to support things like
> ssh, sftp, and nfs but that is separate from samba's
"Windows" services.
>
> Or do you mean it forwards NTLM requests to a different server ?
>
>
> Disabling NTLM altogether would be a useful feature if you are trying to
> minimize the attack surface.
>
>
>
>
>
>
> On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
> >  Forgive me if I have misundertood your words, but what I want is to 
> prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and 
> forwarding it, since SSSD does not support it. I am not trying to get 
> SSSD to support any kind of NTLM. So, this would be a Samba issue, not 
> SSSD's. Isn't that correct?
> > Putting it in another words: what can I do (preferrably on the Samba 
> server) to prevent windows clients from successfully sending NTLM 
> authentication to my Samba server?    Em quarta-feira, 10 de outubro 
> de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org 
> <mailto:samba at lists.samba.org>> escreveu:
> >
> >  On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> > Reinaldo Souza Gomes via samba <samba at lists.samba.org 
> <mailto:samba at lists.samba.org>> wrote:
> >
> >> How can I make sure that NTLM(SSP) will never be used??
> >>
> >> I’ve set up Samba with SSSD and everything Works fine... except
for a
> >> few Windows machines which every now and then happen to send NTLM
> >> authentication flags to the Samba server, which happily forwards
> >> them. And then the authentication fails because SSSD doesn’t
support
> >> NTLM.
> >>
> >> I’ve tried all sorts of parameters combination on smb.conf
(including
> >> "ntlm auth = disabled"), but I didn’t find a way to
completely refuse
> >> NTLM authentication on the Samba server, and force the client to
use
> >> another authentication method (kerberos).
> > You will have to ask the sssd-users mailing list, you are not using
> > Samba for authentication.
> >
> > sssd isn't a Samba product.
> >
> > Samba by default no longer uses NTLMv1
> >
> > Rowland
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba