Hi All, Server: Fedora 26 samba-4.6.8-0.fc26.x86_64 Workstations (5 of them): XP Pro SP3 I set all five of my customer XP workstations to Send NTLMv2 response only\\refuse LM and NTLM and turned off (smb.conf) lanman auth = yes ntlm auth = yes And had to turn it right back on as the customer's Xerox Workcentre 3550 multifunction printer scanner requires it What are the security ramification to Samba? Many thanks, -T Tony Ewell, B.S.E.E. Owner, Rent-A-Nerd Computer Services 775-265-5150, 9:00 am to 5:00 pm PST/PDT Error from the scanner: Destination 1 : Status....Failed Status Details : username or password is wrong Friendly Name : WorkCenter Server Name : 192.168.255.12 Path : scans Protocol : SMB Filing Policy : CHANGENAME Document Name : 1
lanman should always be disabled. use "testparm -v" to make sure the settings are applied as you expect. With different samba versions, the defaults may change. I don't think you can disable ntlmv1 but leave ntlmv2 enabled. I could be wrong. NTLMv2 is stronger. And I think clients will negotiate the strongest common protocol. If you are in a small network where you can see what is getting added, and you are using ethernet switches (not ethernet hubs) to minimize packet capture, you should be OK. (unless you are designing the next stealth fighter.) Best practices would dictate NTLMv2 if possible. I would try disabling lanman, leaving ntlm enabled and see if the xerox works. On 10/02/17 17:16, ToddAndMargo via samba wrote:> Hi All, > > Server: > Fedora 26 > samba-4.6.8-0.fc26.x86_64 > > Workstations (5 of them): > XP Pro SP3 > > > I set all five of my customer XP workstations to > > Send NTLMv2 response only\\refuse LM and NTLM > > and turned off (smb.conf) > > lanman auth = yes > ntlm auth = yes > > And had to turn it right back on as the customer's > Xerox Workcentre 3550 multifunction printer scanner > requires it > > What are the security ramification to Samba? > > Many thanks, > -T > Tony Ewell, B.S.E.E. > Owner, Rent-A-Nerd Computer Services > 775-265-5150, 9:00 am to 5:00 pm PST/PDT > > > Error from the scanner: > > Destination 1 : Status....Failed > Status Details : username or password is wrong > Friendly Name : WorkCenter > Server Name : 192.168.255.12 > Path : scans > Protocol : SMB > Filing Policy : CHANGENAME > Document Name : 1 > > > > >
> On 10/02/17 17:16, ToddAndMargo via samba wrote: >> Hi All, >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> >> I set all five of my customer XP workstations to >> >> Send NTLMv2 response only\\refuse LM and NTLM >> >> and turned off (smb.conf) >> >> lanman auth = yes >> ntlm auth = yes >> >> And had to turn it right back on as the customer's >> Xerox Workcentre 3550 multifunction printer scanner >> requires it >> >> What are the security ramification to Samba? >> >> Many thanks, >> -T >> Tony Ewell, B.S.E.E. >> Owner, Rent-A-Nerd Computer Services >> 775-265-5150, 9:00 am to 5:00 pm PST/PDT >> >> >> Error from the scanner: >> >> Destination 1 : Status....Failed >> Status Details : username or password is wrong >> Friendly Name : WorkCenter >> Server Name : 192.168.255.12 >> Path : scans >> Protocol : SMB >> Filing Policy : CHANGENAME >> Document Name : 1On 10/02/2017 03:49 PM, Gaiseric Vandal via samba wrote: > lanman should always be disabled. use "testparm -v" to make sure the > settings are applied as you expect. With different samba versions, the > defaults may change. > > I don't think you can disable ntlmv1 but leave ntlmv2 enabled. I could > be wrong. NTLMv2 is stronger. And I think clients will > negotiate the strongest common protocol. If you are in a small > network where you can see what is getting added, and you are using > ethernet switches (not ethernet hubs) to minimize packet capture, you > should be OK. (unless you are designing the next stealth > fighter.) Best practices would dictate NTLMv2 if possible. > > > I would try disabling lanman, leaving ntlm enabled and see if the xerox > works. If I disable (as I did), then the scanner won't save to smb. So, I am stuck with it.