On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote:>Hello you all, >Microsoft is still trying to fix the PrintNightmare bugs. And after >the latest patch day we see lots of NTLMv2 auths on our printserver. >And _only_ on our printserver and not on any other member servers. > >It is not that Kerberos does not work. I can ssh into that machine >using Kerberos I can connect with smbclient with kerberos. Also the >logs are really spammed with those messages. And it all started after >we released the last patchday updates from MS. >This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had >the same Problem on 4.14.7. smb.conf is below. >Everything seems to work as expected. It just is the number of NTLMv2 >auths that made me look at this more closely.NTLM auths can happen when a machine isn't using name-based lookups (i.e. not using DNS names). Kerberos requires name-based lookups in order to get tickets. That's usually the cause of NTLM.
Am 19.10.21 um 19:10 schrieb Jeremy Allison via samba:> On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote: >> Hello you all, >> Microsoft is still trying to fix the PrintNightmare bugs. And after >> the latest patch day we see lots of NTLMv2 auths on our printserver. >> And _only_ on our printserver and not on any other member servers. >> >> It is not that Kerberos does not work. I can ssh into that machine >> using Kerberos I can connect with smbclient with kerberos. Also the >> logs are really spammed with those messages. And it all started after >> we released the last patchday updates from MS. >> This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had >> the same Problem on 4.14.7. smb.conf is below. >> Everything seems to work as expected. It just is the number of NTLMv2 >> auths that made me look at this more closely. > > NTLM auths can happen when a machine isn't using name-based > lookups (i.e. not using DNS names). Kerberos requires name-based > lookups in order to get tickets. That's usually the cause of > NTLM.Good hint. I'll check if somebody altered the GPO with this regard. However, could it also be that the MS patch changed something there (like talking the IP instead of a name?) Regards Christian -- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On 10/19/21 12:10, Jeremy Allison via samba wrote:> On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote: >> Hello you all, >> Microsoft is still trying to fix the PrintNightmare bugs. And after >> the latest patch day we see lots of NTLMv2 auths on our printserver. >> And _only_ on our printserver and not on any other member servers. >> >> It is not that Kerberos does not work. I can ssh into that machine >> using Kerberos I can connect with smbclient with kerberos. Also the >> logs are really spammed with those messages. And it all started after >> we released the last patchday updates from MS. >> This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had >> the same Problem on 4.14.7. smb.conf is below. >> Everything seems to work as expected. It just is the number of NTLMv2 >> auths that made me look at this more closely. > > NTLM auths can happen when a machine isn't using name-based > lookups (i.e. not using DNS names). Kerberos requires name-based > lookups in order to get tickets. That's usually the cause of > NTLM. >That comment confused me. Are you saying that Windows authentication will automatically drop down to NTLMv2 if DNS isn't configured properly?