hai, Please keep it mailing to the list, this way is shows up of others also. A workaround for disabling SMBv1, you can make your server less secure but thats not what i would do. Setting these to enable NTLM v1 again. lanman auth = yes ntlm auth = yes raw NTLMv2 auth = yes I think also this is more a question for the free raduis list, but i would to for a ldap(s) setup. just dont mixup these to : start_tls and tls_mode to connect to port 636 on a samba AD DC, you need : start_tls=no and tls_mode = yes My preffered auth order if the app allows it. kerberos ldap(s) ntlm as last resort. Best regards, Louis Van: Arnab Roy [mailto:arniekol at gmail.com] Verzonden: donderdag 8 juni 2017 15:07 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] ntlm_auth and SMBv2/v3 Are their any plans finding a work around for this..as their tremendous amount of security paranoia related to smbv1 now... On 8 Jun 2017 13:54, "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Arnab Roy via samba > Verzonden: donderdag 8 juni 2017 14:23 > Aan: samba at lists.samba.org > Onderwerp: [Samba] ntlm_auth and SMBv2/v3 > > Hi , > > I just need some clarification ; > > We currently use ntlm_auth + winbind for AD auth on > Freeradius, will disabling SMBv1 break authentication for > ntlm_auth + Freeradius ?Yes> > Many Thanks > Arnab > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi Louis, Freeradius needs to check mschap hash via AD , I raised this already and it would appear the way forward would be for ntlm_auth to natively support NTLMv2 which will than resolve this issue for good. I will post this in the dev thread and see what they have to say. Thanks again for your help. Arnab On Thu, Jun 8, 2017 at 2:30 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:> hai, > > Please keep it mailing to the list, this way is shows up of others also. > A workaround for disabling SMBv1, you can make your server less secure but > thats not what i would do. > > Setting these to enable NTLM v1 again. > > lanman auth = yes > ntlm auth = yes > raw NTLMv2 auth = yes > I think also this is more a question for the free raduis list, but i would > to for a ldap(s) setup. > just dont mixup these to : start_tls and tls_mode to connect to port > 636 on a samba AD DC, you need : > start_tls=no and tls_mode = yes > > My preffered auth order if the app allows it. > kerberos > ldap(s) > ntlm as last resort. > > Best regards, > > Louis > > > > > ------------------------------ > *Van:* Arnab Roy [mailto:arniekol at gmail.com] > *Verzonden:* donderdag 8 juni 2017 15:07 > *Aan:* L.P.H. van Belle > *Onderwerp:* Re: [Samba] ntlm_auth and SMBv2/v3 > > Are their any plans finding a work around for this..as their tremendous > amount of security paranoia related to smbv1 now... > > On 8 Jun 2017 13:54, "L.P.H. van Belle via samba" <samba at lists.samba.org> > wrote: > >> >> > -----Oorspronkelijk bericht----- >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> > Arnab Roy via samba >> > Verzonden: donderdag 8 juni 2017 14:23 >> > Aan: samba at lists.samba.org >> > Onderwerp: [Samba] ntlm_auth and SMBv2/v3 >> > >> > Hi , >> > >> > I just need some clarification ; >> > >> > We currently use ntlm_auth + winbind for AD auth on >> > Freeradius, will disabling SMBv1 break authentication for >> > ntlm_auth + Freeradius ? >> >> Yes >> >> > >> > Many Thanks >> > Arnab >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote:> hai, > > Please keep it mailing to the list, this way is shows up of others also. > A workaround for disabling SMBv1, you can make your server less secure but thats not what i would do. > > Setting these to enable NTLM v1 again. > > lanman auth = yesNEVER set this.> ntlm auth = yesThis enables NTLMv1. To be clear, this isn't related to SMBv1. This is the only change required to re-enable MSCHAPv2. I plan to create a ntlm auth = mschapv2-only option (indeed I have been given such a patch) but I need to finish the test.> raw NTLMv2 auth = yesThis only applies to NTLMv2 on SMBv1, and should also NEVER be set for modern networks. I'm mentioning this because Samba folklore grows so quickly, and folks rapidly paste in whatever setting they find, even if they reduce security dramatically. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, That is fantastic news I am running 4.5.10 So just to be clear I just need ntlm auth = yes In smb.conf and all should continue to work? Many Thanks for the clarification Arnab On 8 Jun 2017 20:36, "Andrew Bartlett" <abartlet at samba.org> wrote:> On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote: > > hai, > > > > Please keep it mailing to the list, this way is shows up of others also. > > A workaround for disabling SMBv1, you can make your server less secure > but thats not what i would do. > > > > Setting these to enable NTLM v1 again. > > > > lanman auth = yes > > NEVER set this. > > > ntlm auth = yes > > This enables NTLMv1. To be clear, this isn't related to SMBv1. This > is the only change required to re-enable MSCHAPv2. I plan to create a > ntlm auth = mschapv2-only option (indeed I have been given such a > patch) but I need to finish the test. > > > raw NTLMv2 auth = yes > > This only applies to NTLMv2 on SMBv1, and should also NEVER be set for > modern networks. > > I'm mentioning this because Samba folklore grows so quickly, and folks > rapidly paste in whatever setting they find, even if they reduce > security dramatically. > > Thanks, > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >
Hello Andrew, Do you plan to release the patch for "ntlm auth mschapv2-only" option soon ? We need this on order to use freeradius in a "more safe" scenario than with "ntlm auth = yes" Best Regard, Lulzim KELMENI Direction des Systèmes d'Information Mairie de Saint-Ouen Le 08/06/2017 21:36, Andrew Bartlett via samba a écrit :>On Thu, 2017-06-08 at 15:30 +0200, L.P.H. van Belle via samba wrote:>>> hai, Please keep it mailing to the list, this way is shows up ofothers also. A workaround for disabling SMBv1, you can make your server less secure but thats not what i would do. Setting these to enable NTLM v1 again. lanman auth = yes> > NEVER set this. > >> ntlm auth = yes >> This enables NTLMv1. To be clear, this isn't related to SMBv1. This >is the only change required to re-enable MSCHAPv2. I plan to create a>ntlm auth = mschapv2-only option (indeed I have been given such a>patch) but I need to finish the test.> raw NTLMv2 aut > >> n networks.I'm menti> cause Samba folklore grows so quickly, and folks rapidlypaste in whatever setting they find, even if they reduce security dramatically. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ [1] Authentication Developer, Samba Team http://samba.org [2] Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba [3] Links: ------ [1] http://samba.org/~abartlet/ [2] http://samba.org [3] http://catalyst.net.nz/services/samba