Am 19.10.21 um 19:10 schrieb Jeremy Allison via samba:> On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote: >> Hello you all, >> Microsoft is still trying to fix the PrintNightmare bugs. And after >> the latest patch day we see lots of NTLMv2 auths on our printserver. >> And _only_ on our printserver and not on any other member servers. >> >> It is not that Kerberos does not work. I can ssh into that machine >> using Kerberos I can connect with smbclient with kerberos. Also the >> logs are really spammed with those messages. And it all started after >> we released the last patchday updates from MS. >> This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had >> the same Problem on 4.14.7. smb.conf is below. >> Everything seems to work as expected. It just is the number of NTLMv2 >> auths that made me look at this more closely. > > NTLM auths can happen when a machine isn't using name-based > lookups (i.e. not using DNS names). Kerberos requires name-based > lookups in order to get tickets. That's usually the cause of > NTLM.Good hint. I'll check if somebody altered the GPO with this regard. However, could it also be that the MS patch changed something there (like talking the IP instead of a name?) Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On Tue, Oct 19, 2021 at 07:13:03PM +0200, cn--- via samba wrote:>Am 19.10.21 um 19:10 schrieb Jeremy Allison via samba: >>On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote: >>>Hello you all, >>>Microsoft is still trying to fix the PrintNightmare bugs. And >>>after the latest patch day we see lots of NTLMv2 auths on our >>>printserver. And _only_ on our printserver and not on any other >>>member servers. >>> >>>It is not that Kerberos does not work. I can ssh into that machine >>>using Kerberos I can connect with smbclient with kerberos. Also >>>the logs are really spammed with those messages. And it all >>>started after we released the last patchday updates from MS. >>>This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also >>>had the same Problem on 4.14.7. smb.conf is below. >>>Everything seems to work as expected. It just is the number of >>>NTLMv2 auths that made me look at this more closely. >> >>NTLM auths can happen when a machine isn't using name-based >>lookups (i.e. not using DNS names). Kerberos requires name-based >>lookups in order to get tickets. That's usually the cause of >>NTLM. > >Good hint. I'll check if somebody altered the GPO with this regard. >However, could it also be that the MS patch changed something there >(like talking the IP instead of a name?)That is *extremely* unlikely. Many organizations ban the use of NTLM and require kerberos, so that would get Windows de-certified in many places. So no, I doubt that very much :-).