Reinaldo Souza Gomes
2018-Oct-10 21:27 UTC
[Samba] How to disable NTLM authentication on Samba
The domain controler is Windows. The file Server is Linux/Samba. The clients are Windows. I've tested the access on a dozen different windows machines. Three of them used NTLM and failed. All the others used kerberos and succeeded. They're all in the same network, same domain. Maybe it's the windows version? But they're all Window 8 or 10, not a great deal of a difference between them. Those logs are from the Samba server, upon receiving the NTLM authentication attempt.Smbd is version 4.7.1 on CentOS 7.5 I've tried a lot of different configurations regarding NTLM on the Samba server. Currently, they're like this: client NTLMv2 auth = noclient lanman auth = nontlm auth = disabledlanman auth = no I thought there could be a way of telling the windows machines something like "Hey, I'm not accepting any kind of NTLM. If you want to access this Samba server, use kerberos!". But I can't find it. Em quarta-feira, 10 de outubro de 2018 18:13:54 BRT, Gaiseric Vandal via samba <samba at lists.samba.org> escreveu: I must be missing something- Are these Windows clients? Or are these Linux clients authenticating against Samba ? if they were linux clients then yes I could see sssd or other authentication components besides winbind coming into play. And in that case yes you would have sssd work with winbind to enable caching of credentials. Is the event log entry below from the server ? Is it from the domain controller or a file server? What version of Samba are you running? Are the files servers and domain controllers all Samba or do you have a mix of say Samba file servers with Windows AD servers? The "no logon server" entry looks more relevant. What version of Windows clients. I think NTLMv2 is supported as far back as NT 4.0 SP6. Windows 2000 and later should be trying to use kerberos in preference to NTLM. By chance have you disabled NTLMv2 and only enabled v1? Are some windows clients failing while others succeeding ? On 10/10/18 16:38, Reinaldo Souza Gomes wrote:> Whenever a client uses kerberos as authentication, it succeeds. > > Whenever a client uses NTLM as authentication, it fails (logs bellow) > since SSSD can't support NTLM. Thus my question: what can I do to > prevent NTLM from being used?? > > [2018/10/09 17:49:29.507046, 2] > ../source3/auth/auth.c:332(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [MYUSER] -> [MYUSER] > FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1 > [2018/10/09 17:49:29.507074, 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 > 17:49:29.507062 -03] with [NTLMv2] status > [*NT_STATUS_NO_LOGON_SERVERS*] workstation [MACHINENAME] remote host > [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host > [ipv4:10.0.0.1:445] > > Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal > via samba <samba at lists.samba.org> escreveu: > > > How would samba forward any requests on to any other service ? You > can have sssd setup on a server if you also need to support things like > ssh, sftp, and nfs but that is separate from samba's "Windows" services. > > Or do you mean it forwards NTLM requests to a different server ? > > > Disabling NTLM altogether would be a useful feature if you are trying to > minimize the attack surface. > > > > > > > On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote: > > Forgive me if I have misundertood your words, but what I want is to > prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and > forwarding it, since SSSD does not support it. I am not trying to get > SSSD to support any kind of NTLM. So, this would be a Samba issue, not > SSSD's. Isn't that correct? > > Putting it in another words: what can I do (preferrably on the Samba > server) to prevent windows clients from successfully sending NTLM > authentication to my Samba server? Em quarta-feira, 10 de outubro > de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org > <mailto:samba at lists.samba.org>> escreveu: > > > > On Wed, 10 Oct 2018 18:50:23 +0000 (UTC) > > Reinaldo Souza Gomes via samba <samba at lists.samba.org > <mailto:samba at lists.samba.org>> wrote: > > > >> How can I make sure that NTLM(SSP) will never be used?? > >> > >> I’ve set up Samba with SSSD and everything Works fine... except for a > >> few Windows machines which every now and then happen to send NTLM > >> authentication flags to the Samba server, which happily forwards > >> them. And then the authentication fails because SSSD doesn’t support > >> NTLM. > >> > >> I’ve tried all sorts of parameters combination on smb.conf (including > >> "ntlm auth = disabled"), but I didn’t find a way to completely refuse > >> NTLM authentication on the Samba server, and force the client to use > >> another authentication method (kerberos). > > You will have to ask the sssd-users mailing list, you are not using > > Samba for authentication. > > > > sssd isn't a Samba product. > > > > Samba by default no longer uses NTLMv1 > > > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Reinaldo Souza Gomes
2018-Oct-10 23:15 UTC
[Samba] How to disable NTLM authentication on Samba
This issue right here told me exactly what I needed to understand this
authentication process:https://pagure.io/SSSD/sssd/issue/3228
- The client talks to the DC to try and get a cifs ticket for my samba
server's princpal name;- In case the client can't get the ticket for any
reason, it falls back to NTLM <- windows client decision, nothing can be done
about it by Samba/SSSD;
Once I realized this, I investigated the windows machines which couldn't
access my Samba server, and I found out that they were authenticating to a DC
which didn't receive the replication for the Samba server's machine
account (!!!). Therefore the windows client could not get a kerberos tickets for
my Samba server, and would eventually fall back to NTLM.
Nice. So now I know exactly what's going on. Just have to fix this
replication and all will be good.
But what if I need to authenticate from a machine where NTLM is the only
possibility?
I've tried to install the "gssntlmssp.x86_64" package for CentOS,
as this post suggests(https://bugzilla.redhat.com/show_bug.cgi?id=963341), but
it didn't help.
Anyway, as far as Samba goes, I think this is as far as you guys could help me.
Thank you for your attention.
Em quarta-feira, 10 de outubro de 2018 18:27:50 BRT, Reinaldo Souza Gomes
via samba <samba at lists.samba.org> escreveu:
The domain controler is Windows. The file Server is Linux/Samba. The clients
are Windows.
I've tested the access on a dozen different windows machines. Three of them
used NTLM and failed. All the others used kerberos and succeeded. They're
all in the same network, same domain. Maybe it's the windows version? But
they're all Window 8 or 10, not a great deal of a difference between them.
Those logs are from the Samba server, upon receiving the NTLM authentication
attempt.Smbd is version 4.7.1 on CentOS 7.5
I've tried a lot of different configurations regarding NTLM on the Samba
server. Currently, they're like this:
client NTLMv2 auth = noclient lanman auth = nontlm auth = disabledlanman auth =
no
I thought there could be a way of telling the windows machines something like
"Hey, I'm not accepting any kind of NTLM. If you want to access this
Samba server, use kerberos!". But I can't find it. Em quarta-feira,
10 de outubro de 2018 18:13:54 BRT, Gaiseric Vandal via samba <samba at
lists.samba.org> escreveu:
I must be missing something-
Are these Windows clients? Or are these Linux clients authenticating
against Samba ?
if they were linux clients then yes I could see sssd or other
authentication components besides winbind coming into play. And in that
case yes you would have sssd work with winbind to enable caching of
credentials.
Is the event log entry below from the server ? Is it from the domain
controller or a file server?
What version of Samba are you running?
Are the files servers and domain controllers all Samba or do you have a
mix of say Samba file servers with Windows AD servers?
The "no logon server" entry looks more relevant. What version of
Windows clients. I think NTLMv2 is supported as far back as NT
4.0 SP6. Windows 2000 and later should be trying to use kerberos
in preference to NTLM. By chance have you disabled NTLMv2 and only
enabled v1? Are some windows clients failing while others succeeding ?
On 10/10/18 16:38, Reinaldo Souza Gomes wrote:> Whenever a client uses kerberos as authentication, it succeeds.
>
> Whenever a client uses NTLM as authentication, it fails (logs bellow)
> since SSSD can't support NTLM. Thus my question: what can I do to
> prevent NTLM from being used??
>
> [2018/10/09 17:49:29.507046, 2]
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [MYUSER] -> [MYUSER]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
> [2018/10/09 17:49:29.507074, 2]
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
> Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018
> 17:49:29.507062 -03] with [NTLMv2] status
> [*NT_STATUS_NO_LOGON_SERVERS*] workstation [MACHINENAME] remote host
> [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host
> [ipv4:10.0.0.1:445]
>
> Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal
> via samba <samba at lists.samba.org> escreveu:
>
>
> How would samba forward any requests on to any other service ? You
> can have sssd setup on a server if you also need to support things like
> ssh, sftp, and nfs but that is separate from samba's
"Windows" services.
>
> Or do you mean it forwards NTLM requests to a different server ?
>
>
> Disabling NTLM altogether would be a useful feature if you are trying to
> minimize the attack surface.
>
>
>
>
>
>
> On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
> > Forgive me if I have misundertood your words, but what I want is to
> prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and
> forwarding it, since SSSD does not support it. I am not trying to get
> SSSD to support any kind of NTLM. So, this would be a Samba issue, not
> SSSD's. Isn't that correct?
> > Putting it in another words: what can I do (preferrably on the Samba
> server) to prevent windows clients from successfully sending NTLM
> authentication to my Samba server? Em quarta-feira, 10 de outubro
> de 2018 16:29:28 BRT, Rowland Penny via samba <samba at lists.samba.org
> <mailto:samba at lists.samba.org>> escreveu:
> >
> > On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> > Reinaldo Souza Gomes via samba <samba at lists.samba.org
> <mailto:samba at lists.samba.org>> wrote:
> >
> >> How can I make sure that NTLM(SSP) will never be used??
> >>
> >> I’ve set up Samba with SSSD and everything Works fine... except
for a
> >> few Windows machines which every now and then happen to send NTLM
> >> authentication flags to the Samba server, which happily forwards
> >> them. And then the authentication fails because SSSD doesn’t
support
> >> NTLM.
> >>
> >> I’ve tried all sorts of parameters combination on smb.conf
(including
> >> "ntlm auth = disabled"), but I didn’t find a way to
completely refuse
> >> NTLM authentication on the Samba server, and force the client to
use
> >> another authentication method (kerberos).
> > You will have to ask the sssd-users mailing list, you are not using
> > Samba for authentication.
> >
> > sssd isn't a Samba product.
> >
> > Samba by default no longer uses NTLMv1
> >
> > Rowland
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Single DC?
If a single DC then there should not be any replication issues - that
would only be between domain controllers and the event logs would
indicate that. I have 2 Windows DC's with a mix of Samba member servers.
As far as I know, the domain member does not need client NTLM auth to be
enabled to talk to the DC but I am not 100% sure. You may want to try
reenabling it and maybe enabling NTLMv1 for the server auth just to see
if that makes a difference. NTLMv1 is not recommended for security
reasons but it may help identify the problem.
On my member servers
# testparm -v | grep -i ntlm
...
Loaded services file OK.
...
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client NTLMv2 auth = Yes
ntlm auth = ntlmv2-only
raw NTLMv2 auth = No
Does "wbinfo -u" and "wbinfo -g" show the domain users and
groups?
Does "getent passwd" and "getent group" show the domain
users and groups?
Do the "wbinfo -t" and "net ads testjoin" commands indicate
that the
server has properly joined the domain? Did you try rejoining the
server to the domain ?
Does your /etc/nsswitch.conf look like
passwd: files winbind
group: files winbind
or
passwd: files sss
group: files sss
Unless you have ssh, sftp or nfs connections to the samba server from
either windows or linux clients, there should not be any reason to setup
SSSD with AD authentication since none of the "unix" type services
will
need it. Solaris or older linux versions don't even have sssd.
Did you try zapping the winbind and idmap caches ?
Probably NOT related but I had issues with Windows 10 and SMB3 in the
past so you may want to try minimizing variables with
server max protocol = SMB2
server min protocol = SMB2
I haven't had the displeasure of using Windows 8.
On 10/10/18 19:15, Reinaldo Souza Gomes wrote:> This issue right here told me exactly what I needed to understand this
> authentication process:
> https://pagure.io/SSSD/sssd/issue/3228
>
>
> - The client talks to the DC to try and get a cifs ticket for my samba
> server's princpal name;
> - In case the client can't get the ticket for any reason, it falls
> back to NTLM <- windows client decision, nothing can be done about it
> by Samba/SSSD;
>
> Once I realized this, I investigated the windows machines which
> couldn't access my Samba server, and I found out that they were
> authenticating to a DC which didn't receive the replication for the
> Samba server's machine account (!!!). Therefore the windows client
> could not get a kerberos tickets for my Samba server, and would
> eventually fall back to NTLM.
>
> Nice. So now I know exactly what's going on. Just have to fix this
> replication and all will be good.
>
> But what if I need to authenticate from a machine where NTLM is the
> only possibility?
>
> I've tried to install the "gssntlmssp.x86_64" package for
CentOS, as
> this post
> suggests(https://bugzilla.redhat.com/show_bug.cgi?id=963341), but it
> didn't help.
>
> Anyway, as far as Samba goes, I think this is as far as you guys could
> help me.
>
> Thank you for your attention.
>
>
>
> Em quarta-feira, 10 de outubro de 2018 18:27:50 BRT, Reinaldo Souza
> Gomes via samba <samba at lists.samba.org> escreveu:
>
>
> The domain controler is Windows. The file Server is Linux/Samba. The
> clients are Windows.
> I've tested the access on a dozen different windows machines. Three of
> them used NTLM and failed. All the others used kerberos and succeeded.
> They're all in the same network, same domain. Maybe it's the
windows
> version? But they're all Window 8 or 10, not a great deal of a
> difference between them.
> Those logs are from the Samba server, upon receiving the NTLM
> authentication attempt.Smbd is version 4.7.1 on CentOS 7.5
> I've tried a lot of different configurations regarding NTLM on the
> Samba server. Currently, they're like this:
> client NTLMv2 auth = noclient lanman auth = nontlm auth =
> disabledlanman auth = no
> I thought there could be a way of telling the windows machines
> something like "Hey, I'm not accepting any kind of NTLM. If you
want
> to access this Samba server, use kerberos!". But I can't find it.
> Em quarta-feira, 10 de outubro de 2018 18:13:54 BRT, Gaiseric Vandal
> via samba <samba at lists.samba.org <mailto:samba at
lists.samba.org>>
> escreveu:
>
> I must be missing something-
>
>
> Are these Windows clients? Or are these Linux clients authenticating
> against Samba ?
>
>
> if they were linux clients then yes I could see sssd or other
> authentication components besides winbind coming into play. And in that
> case yes you would have sssd work with winbind to enable caching of
> credentials.
>
>
> Is the event log entry below from the server ? Is it from the domain
> controller or a file server?
>
>
> What version of Samba are you running?
>
> Are the files servers and domain controllers all Samba or do you have a
> mix of say Samba file servers with Windows AD servers?
>
> The "no logon server" entry looks more relevant. What
version of
> Windows clients. I think NTLMv2 is supported as far back as NT
> 4.0 SP6. Windows 2000 and later should be trying to use kerberos
> in preference to NTLM. By chance have you disabled NTLMv2 and only
> enabled v1? Are some windows clients failing while others
> succeeding ?
>
>
>
>
>
>
>
>
> On 10/10/18 16:38, Reinaldo Souza Gomes wrote:
> > Whenever a client uses kerberos as authentication, it succeeds.
> >
> > Whenever a client uses NTLM as authentication, it fails (logs bellow)
> > since SSSD can't support NTLM. Thus my question: what can I do to
> > prevent NTLM from being used??
> >
> > [2018/10/09 17:49:29.507046, 2]
> > ../source3/auth/auth.c:332(auth_check_ntlm_password)
> > check_ntlm_password: Authentication for user [MYUSER] ->
[MYUSER]
> > FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
> > [2018/10/09 17:49:29.507074, 2]
> > ../auth/auth_log.c:760(log_authentication_event_human_readable)
> > Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018
> > 17:49:29.507062 -03] with [NTLMv2] status
> > [*NT_STATUS_NO_LOGON_SERVERS*] workstation [MACHINENAME] remote host
> > [ipv4:192.168.1.1:1109] mapped to [MYDOMAIN]\[MYUSER]. local host
> > [ipv4:10.0.0.1:445]
> >
> > Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal
> > via samba <samba at lists.samba.org <mailto:samba at
lists.samba.org>>
> escreveu:
> >
> >
> > How would samba forward any requests on to any other service ?
You
> > can have sssd setup on a server if you also need to support things
like
> > ssh, sftp, and nfs but that is separate from samba's
"Windows" services.
> >
> > Or do you mean it forwards NTLM requests to a different server ?
> >
> >
> > Disabling NTLM altogether would be a useful feature if you are trying
to
> > minimize the attack surface.
> >
> >
> >
> >
> >
> >
> > On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
> > > Forgive me if I have misundertood your words, but what I want is
to
> > prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and
> > forwarding it, since SSSD does not support it. I am not trying to get
> > SSSD to support any kind of NTLM. So, this would be a Samba issue, not
> > SSSD's. Isn't that correct?
> > > Putting it in another words: what can I do (preferrably on the
Samba
> > server) to prevent windows clients from successfully sending NTLM
> > authentication to my Samba server? Em quarta-feira, 10 de outubro
> > de 2018 16:29:28 BRT, Rowland Penny via samba <samba at
lists.samba.org
> <mailto:samba at lists.samba.org>
> > <mailto:samba at lists.samba.org <mailto:samba at
lists.samba.org>>> escreveu:
> > >
> > > On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> > > Reinaldo Souza Gomes via samba <samba at lists.samba.org
> <mailto:samba at lists.samba.org>
> > <mailto:samba at lists.samba.org <mailto:samba at
lists.samba.org>>> wrote:
> > >
> > >> How can I make sure that NTLM(SSP) will never be used??
> > >>
> > >> I’ve set up Samba with SSSD and everything Works fine...
except for a
> > >> few Windows machines which every now and then happen to send
NTLM
> > >> authentication flags to the Samba server, which happily
forwards
> > >> them. And then the authentication fails because SSSD doesn’t
support
> > >> NTLM.
> > >>
> > >> I’ve tried all sorts of parameters combination on smb.conf
(including
> > >> "ntlm auth = disabled"), but I didn’t find a way to
completely refuse
> > >> NTLM authentication on the Samba server, and force the client
to use
> > >> another authentication method (kerberos).
> > > You will have to ask the sssd-users mailing list, you are not
using
> > > Samba for authentication.
> > >
> > > sssd isn't a Samba product.
> > >
> > > Samba by default no longer uses NTLMv1
> > >
> > > Rowland
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba