On 17/11/2022 11:39, Stefan G. Weichinger via samba
wrote:>
> A customer where I run a samba-AD-domain gets a new VOIP PBX thingie ...
>
> so I am writing port forwardings, firewall rules and what not to allow
> that beast access to this and that.
>
> One feature is some kind of "Netlogon": the software on the PCs
should
> be able to access AD-users for its authentication.
>
>
http://wiki.innovaphone.com/index.php?title=Reference13r1:Concept_Netlogon_Windows_Authentication
>
> I created a computer account ... on the shell, because the DC (samba)
> doesn't run PowerShell ...
>
> The PBX gets a connection somehow, but the users fail.
>
> Look at the wiki:
>
> "Currently NTLMv1 is used"
>
> :-(
>
> I added this for a short test:
>
> lm announce = no
> lanman auth = no
> ntlm auth = yes
> client lanman auth = no
> client ntlmv2 auth = yes
The only one that really needs setting is 'ntlm auth = yes', but there
is a problem with that, it isn't very secure.
>
> Took that out of a thread here in 2017:
>
> https://lists.samba.org/archive/samba/2017-July/209983.html
>
> For sure that isn't safe, and I don't like allowing unsafe stuff.
>
> recommendations?
>
Put it back in the box, send it back and find another, more secure PBX.
Knowing how loathe companies are to buy things, they probably expect
this thing to last at least 10 years. Before that time is up, I expect
there to be nothing mainstream using NTLMv1, mind you, this is just my
opinion.
Rowland