On 05.10.20 11:26, Rowland penny via samba wrote:> Stop me if I am wrong, but, from memory (long time since I saw a win95 > machine), win9x never used kerberos, it only used lanman auth, so > changes to kerberos shouldn't affect you. If it worked on 4.11.x, it > should work on 4.12.xYou can install an optional Active Directory Service Client for win9x, but that only replaces lanman with NTLMv2, Kerberos is explicitly not supported. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201005/789f9498/signature.sig>
Thank you for clarification. So NTLM authentication (SMBv1) is still running (and supported), even in 4.13 and (near) future versions? Maybe our machines will die before Samba team finally end the SMBv1 support, but I don't believe that much:) Can I have one additional question? When I deactivate NTLMv1 on DCs (or new version of Samba removes it), but I leave it enabled on fileserver with older Samba/Windows, will be win95-like NTLMv1 client able to connect to that fileserver? Thank you very much. Jiri>>> Sven Schwedas <sven.schwedas at tao.at> 5.10.2020 11:38 >>>On 05.10.20 11:26, Rowland penny via samba wrote:> Stop me if I am wrong, but, from memory (long time since I saw a win95 > machine), win9x never used kerberos, it only used lanman auth, so > changes to kerberos shouldn't affect you. If it worked on 4.11.x, it > should work on 4.12.xYou can install an optional Active Directory Service Client for win9x, but that only replaces lanman with NTLMv2, Kerberos is explicitly not supported.
On 05/10/2020 14:06, Ji?? ?ern? via samba wrote:> Thank you for clarification. > So NTLM authentication (SMBv1) is still running (and supported), even in 4.13 and (near) future versions? > Maybe our machines will die before Samba team finally end the SMBv1 support, but I don't believe that much:)SMBv1 was turned off by default in Samba 4.11.0 but is still available, 4.13.0 went further, a bunch of the require SMBv1 parameters were deprecated and could be removed at the next release (but probably wont be). The removal of SMBv1 has begun.> > Can I have one additional question? > When I deactivate NTLMv1 on DCs (or new version of Samba removes it), but I leave it enabled on fileserver with older Samba/Windows, will be win95-like NTLMv1 client able to connect to that fileserver?Not entirely sure, in AD, authentication is carried out by the DC's, so the fileserver would have to authenticate the client via a DC, so it might work, but then again it might not, you have to try it. A better idea would be to set up a small workgroup containing the win9X machines and a fileserver. Airgap the workgroup from your main domain and transfer files via USB drive, this way you can continue to use an older version of Samba with your win9X machines safely. Rowland
On 06/10/2020 13:20, Ji?? ?ern? wrote:> Thank you, Rowland, I really appreciate your answers. > > Recently we are using only these non-default options, which are, > according to > https://wiki.samba.org/index.php/Samba_4.13_Features_added/changed, > still usable: > ntlm auth = yes > server min protocol = LANMAN1 >Yes they are still usable, but eventually they will be removed. Samba is actively working on totally removing SMBv1 and, as you have seen in the link you posted, more SMBv1 parameters have been deprecated. Whilst it is highly unlikely that SMBv1 will be totally removed in 4.14.0, it will be removed before long. It may be that Microsoft will decide to remove it first, they have already stopped Windows 10 using it by default and if they remove it, it is game over, Without the main client, there is no point to Samba supporting SMBv1. ?Rowland