On 10/19/21 12:10, Jeremy Allison via samba wrote:> On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote: >> Hello you all, >> Microsoft is still trying to fix the PrintNightmare bugs. And after >> the latest patch day we see lots of NTLMv2 auths on our printserver. >> And _only_ on our printserver and not on any other member servers. >> >> It is not that Kerberos does not work. I can ssh into that machine >> using Kerberos I can connect with smbclient with kerberos. Also the >> logs are really spammed with those messages. And it all started after >> we released the last patchday updates from MS. >> This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had >> the same Problem on 4.14.7. smb.conf is below. >> Everything seems to work as expected. It just is the number of NTLMv2 >> auths that made me look at this more closely. > > NTLM auths can happen when a machine isn't using name-based > lookups (i.e. not using DNS names). Kerberos requires name-based > lookups in order to get tickets. That's usually the cause of > NTLM. >That comment confused me. Are you saying that Windows authentication will automatically drop down to NTLMv2 if DNS isn't configured properly?
On Tue, 2021-10-19 at 12:30 -0500, Patrick Goetz via samba wrote:> > > > That comment confused me. Are you saying that Windows > authentication > > will automatically drop down to NTLMv2 if DNS isn't configured > properly?Yes. So, so often. Andrew, -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
On Tue, 2021-10-19 at 12:30 -0500, Patrick Goetz via samba wrote:> > On 10/19/21 12:10, Jeremy Allison via samba wrote: > > On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote: > > > Hello you all, > > > Microsoft is still trying to fix the PrintNightmare bugs. And > > > after > > > the latest patch day we see lots of NTLMv2 auths on our > > > printserver. > > > And _only_ on our printserver and not on any other member > > > servers. > > > > > > It is not that Kerberos does not work. I can ssh into that > > > machine > > > using Kerberos I can connect with smbclient with kerberos. Also > > > the > > > logs are really spammed with those messages. And it all started > > > after > > > we released the last patchday updates from MS. > > > This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also > > > had > > > the same Problem on 4.14.7. smb.conf is below. > > > Everything seems to work as expected. It just is the number of > > > NTLMv2 > > > auths that made me look at this more closely. > > > > NTLM auths can happen when a machine isn't using name-based > > lookups (i.e. not using DNS names). Kerberos requires name-based > > lookups in order to get tickets. That's usually the cause of > > NTLM. > > > > That comment confused me. Are you saying that Windows > authentication > will automatically drop down to NTLMv2 if DNS isn't configured > properly? >Yes, if you read reddit, you will often find 'it was dns' when talking about AD problems. Rowland