Folks, Our campus AD team has decided that they ...>Need to disable LM/NTLMv1 authentication support to provide greater >security and be consistent with the CITES authentication roadmap.Noble thoughts, but there hasn't been much thought of the ramifications for other, interoperable systems like Samba. I can see that modern Samba versions support NTLMv1 and NTLMv2 methods. Theoretically, that should leave support for NTLMv2, and all should work. Practically, however, there is the question of "what really happens with Samba member servers when one disables LM/NTLMv1 on the domain controllers?" Can anyone speak to this? Thanks much, -Don Don Meyer <dlmeyer@uiuc.edu> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759
Gerald (Jerry) Carter
2006-Feb-22 14:02 UTC
[Samba] Effect of disabling LM/NTLMv1 auth on an AD?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 21 Feb 2006, Don Meyer wrote:> I can see that modern Samba versions support NTLMv1 and NTLMv2 methods. > Theoretically, that should leave support for NTLMv2, and all should > work. Practically, however, there is the question of "what really > happens with Samba member servers when one disables LM/NTLMv1 on the > domain controllers?" Can anyone speak to this?We've been testing this throughout the 3.0 release series. However, we just got complete support in 3.0.21 (for all layers of authentication). There are a few small corner cases that will be fixed in 3.0.21c. If you have any problems with NTLMv2 and Samba 3.0.21c (due out real soon now), we would very much like to know. cheers, jerry ====================================================================I live in a Reply-to-All world. ----------------------- Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFD/G7AIR7qMdg1EfYRAiraAJ4voG/RycC2qI+SyODTistlMYEQ2ACff0iN rW8HX7YkQDUjv7MZJ6o1oVU=MDAc -----END PGP SIGNATURE-----