Hi All,
Server:
Fedora 26
samba-4.6.8-0.fc26.x86_64
Workstations (5 of them):
XP Pro SP3
I set all five of my customer XP workstations to
Send NTLMv2 response only\\refuse LM and NTLM
and turned off (smb.conf)
lanman auth = yes
ntlm auth = yes
And had to turn it right back on as the customer's
Xerox Workcentre 3550 multifunction printer scanner
requires it
What are the security ramification to Samba?
Many thanks,
-T
Tony Ewell, B.S.E.E.
Owner, Rent-A-Nerd Computer Services
775-265-5150, 9:00 am to 5:00 pm PST/PDT
Error from the scanner:
Destination 1 : Status....Failed
Status Details : username or password is wrong
Friendly Name : WorkCenter
Server Name : 192.168.255.12
Path : scans
Protocol : SMB
Filing Policy : CHANGENAME
Document Name : 1
lanman should always be disabled. use "testparm -v" to make sure the settings are applied as you expect. With different samba versions, the defaults may change. I don't think you can disable ntlmv1 but leave ntlmv2 enabled. I could be wrong. NTLMv2 is stronger. And I think clients will negotiate the strongest common protocol. If you are in a small network where you can see what is getting added, and you are using ethernet switches (not ethernet hubs) to minimize packet capture, you should be OK. (unless you are designing the next stealth fighter.) Best practices would dictate NTLMv2 if possible. I would try disabling lanman, leaving ntlm enabled and see if the xerox works. On 10/02/17 17:16, ToddAndMargo via samba wrote:> Hi All, > > Server: > Fedora 26 > samba-4.6.8-0.fc26.x86_64 > > Workstations (5 of them): > XP Pro SP3 > > > I set all five of my customer XP workstations to > > Send NTLMv2 response only\\refuse LM and NTLM > > and turned off (smb.conf) > > lanman auth = yes > ntlm auth = yes > > And had to turn it right back on as the customer's > Xerox Workcentre 3550 multifunction printer scanner > requires it > > What are the security ramification to Samba? > > Many thanks, > -T > Tony Ewell, B.S.E.E. > Owner, Rent-A-Nerd Computer Services > 775-265-5150, 9:00 am to 5:00 pm PST/PDT > > > Error from the scanner: > > Destination 1 : Status....Failed > Status Details : username or password is wrong > Friendly Name : WorkCenter > Server Name : 192.168.255.12 > Path : scans > Protocol : SMB > Filing Policy : CHANGENAME > Document Name : 1 > > > > >
> On 10/02/17 17:16, ToddAndMargo via samba wrote: >> Hi All, >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> >> I set all five of my customer XP workstations to >> >> Send NTLMv2 response only\\refuse LM and NTLM >> >> and turned off (smb.conf) >> >> lanman auth = yes >> ntlm auth = yes >> >> And had to turn it right back on as the customer's >> Xerox Workcentre 3550 multifunction printer scanner >> requires it >> >> What are the security ramification to Samba? >> >> Many thanks, >> -T >> Tony Ewell, B.S.E.E. >> Owner, Rent-A-Nerd Computer Services >> 775-265-5150, 9:00 am to 5:00 pm PST/PDT >> >> >> Error from the scanner: >> >> Destination 1 : Status....Failed >> Status Details : username or password is wrong >> Friendly Name : WorkCenter >> Server Name : 192.168.255.12 >> Path : scans >> Protocol : SMB >> Filing Policy : CHANGENAME >> Document Name : 1On 10/02/2017 03:49 PM, Gaiseric Vandal via samba wrote: > lanman should always be disabled. use "testparm -v" to make sure the > settings are applied as you expect. With different samba versions, the > defaults may change. > > I don't think you can disable ntlmv1 but leave ntlmv2 enabled. I could > be wrong. NTLMv2 is stronger. And I think clients will > negotiate the strongest common protocol. If you are in a small > network where you can see what is getting added, and you are using > ethernet switches (not ethernet hubs) to minimize packet capture, you > should be OK. (unless you are designing the next stealth > fighter.) Best practices would dictate NTLMv2 if possible. > > > I would try disabling lanman, leaving ntlm enabled and see if the xerox > works. If I disable (as I did), then the scanner won't save to smb. So, I am stuck with it.