Jake Carroll
2010-Feb-09 00:47 UTC
[Samba] Is NTLMv2 auth possible with security = SERVER ?
Hi list. I've been running up against a bunch of ntlm v2 related issues recently with Windows 7 and Mac OS X 10.6 client systems attempting to connect to my Solaris 10 samba 3.0.37 server. As it turns out, Sun engineering suggest that because I use "security = SERVER" rather than "security = DOMAIN", ntlmv2 auth will never actually work, even if I have settings such as: client lanman auth = no ntlm auth = no client ntlmv2 auth = yes So - I guess the question is, is it possible to use ntlmv2 with security = server, or does that fundamentally not make sense? The suggestions engineering have given me suggest it's just not possible and it needs to be running in domain mode to work. Any work arounds/techniques to get around such an issue? Thanks all! Cheers. JC
Andrew Bartlett
2010-Feb-09 02:02 UTC
[Samba] Is NTLMv2 auth possible with security = SERVER ?
On Tue, 2010-02-09 at 10:47 +1000, Jake Carroll wrote:> Hi list. > > I've been running up against a bunch of ntlm v2 related issues recently with Windows 7 and Mac OS X 10.6 client systems attempting to connect to my Solaris 10 samba 3.0.37 server. > > As it turns out, Sun engineering suggest that because I use "security = SERVER" rather than "security = DOMAIN", ntlmv2 auth will never actually work, even if I have settings such as: > > client lanman auth = no > ntlm auth = no > client ntlmv2 auth = yes > > So - I guess the question is, is it possible to use ntlmv2 with security = server, or does that fundamentally not make sense? The suggestions engineering have given me suggest it's just not possible and it needs to be running in domain mode to work. Any work arounds/techniques to get around such an issue?You should never use 'security=server' if there is any other possible way to authenticate your users. It is a disgusting man in the middle attack, that therefore makes important security features go away, including NTLMv2. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20100209/9f174991/attachment.pgp>