> On 10/02/17 17:16, ToddAndMargo via samba wrote: >> Hi All, >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> >> I set all five of my customer XP workstations to >> >> Send NTLMv2 response only\\refuse LM and NTLM >> >> and turned off (smb.conf) >> >> lanman auth = yes >> ntlm auth = yes >> >> And had to turn it right back on as the customer's >> Xerox Workcentre 3550 multifunction printer scanner >> requires it >> >> What are the security ramification to Samba? >> >> Many thanks, >> -T >> Tony Ewell, B.S.E.E. >> Owner, Rent-A-Nerd Computer Services >> 775-265-5150, 9:00 am to 5:00 pm PST/PDT >> >> >> Error from the scanner: >> >> Destination 1 : Status....Failed >> Status Details : username or password is wrong >> Friendly Name : WorkCenter >> Server Name : 192.168.255.12 >> Path : scans >> Protocol : SMB >> Filing Policy : CHANGENAME >> Document Name : 1On 10/02/2017 03:49 PM, Gaiseric Vandal via samba wrote: > lanman should always be disabled. use "testparm -v" to make sure the > settings are applied as you expect. With different samba versions, the > defaults may change. > > I don't think you can disable ntlmv1 but leave ntlmv2 enabled. I could > be wrong. NTLMv2 is stronger. And I think clients will > negotiate the strongest common protocol. If you are in a small > network where you can see what is getting added, and you are using > ethernet switches (not ethernet hubs) to minimize packet capture, you > should be OK. (unless you are designing the next stealth > fighter.) Best practices would dictate NTLMv2 if possible. > > > I would try disabling lanman, leaving ntlm enabled and see if the xerox > works. If I disable (as I did), then the scanner won't save to smb. So, I am stuck with it.
How old is the scanner ? Did you check for a firmware update for it? NTLM has been around for so long that it is hard to imagine anything that has to have LANMAN support. On 10/02/17 19:08, ToddAndMargo via samba wrote:>> On 10/02/17 17:16, ToddAndMargo via samba wrote: >>> Hi All, >>> >>> Server: >>> Fedora 26 >>> samba-4.6.8-0.fc26.x86_64 >>> >>> Workstations (5 of them): >>> XP Pro SP3 >>> >>> >>> I set all five of my customer XP workstations to >>> >>> Send NTLMv2 response only\\refuse LM and NTLM >>> >>> and turned off (smb.conf) >>> >>> lanman auth = yes >>> ntlm auth = yes >>> >>> And had to turn it right back on as the customer's >>> Xerox Workcentre 3550 multifunction printer scanner >>> requires it >>> >>> What are the security ramification to Samba? >>> >>> Many thanks, >>> -T >>> Tony Ewell, B.S.E.E. >>> Owner, Rent-A-Nerd Computer Services >>> 775-265-5150, 9:00 am to 5:00 pm PST/PDT >>> >>> >>> Error from the scanner: >>> >>> Destination 1 : Status....Failed >>> Status Details : username or password is wrong >>> Friendly Name : WorkCenter >>> Server Name : 192.168.255.12 >>> Path : scans >>> Protocol : SMB >>> Filing Policy : CHANGENAME >>> Document Name : 1 > > On 10/02/2017 03:49 PM, Gaiseric Vandal via samba wrote: > > lanman should always be disabled. use "testparm -v" to make sure the > > settings are applied as you expect. With different samba versions, the > > defaults may change. > > > > I don't think you can disable ntlmv1 but leave ntlmv2 enabled. I could > > be wrong. NTLMv2 is stronger. And I think clients will > > negotiate the strongest common protocol. If you are in a small > > network where you can see what is getting added, and you are using > > ethernet switches (not ethernet hubs) to minimize packet capture, you > > should be OK. (unless you are designing the next stealth > > fighter.) Best practices would dictate NTLMv2 if possible. > > > > > > I would try disabling lanman, leaving ntlm enabled and see if the xerox > > works. > > If I disable (as I did), then the scanner won't save to smb. > So, I am stuck with it. > >
On 10/03/2017 05:57 AM, Gaiseric Vandal via samba wrote:> How old is the scanner ? Did you check for a firmware update for > it? NTLM has been around for so long that it is hard to imagine > anything that has to have LANMAN support.I called Xerox tech support and their answer was it was out of support. It is probably seven years old. It was an expensive scanner, not one of those new fangled fall apart in two years scanners. It is working very well still. I can not see the scanner catching WannaCry. My main concern was the ramifications to Samba of leaving Lanman activated.