Jeremy Allison
2022-Jan-26 16:55 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Wed, Jan 26, 2022 at 12:50:58PM +0100, Bj?rn JACKE via samba wrote:>On 2022-01-26 at 16:50 +1300 Andrew Bartlett via samba sent off: >> My feeling is that for the Win9X and OS/2 irrilplacable industrial >> equipment case, that guest authentication would suffice, combined with >> 'force user' and 'hosts allow' for 'security'. >> >> What do folks think? > >my gut feeling is that many users will be very unhappy with such a change. I >know many setups where the clients say that ntlm auth is still required for >them and where guest auth would not be an option. Even on AD DCs sometimes. For >sure on member servers.Correct me if I'm wrong Andrew, but I think Andrew is not thinking about removing NTLM, but only the storage of LM password hashes. From the "lanman auth" section of the man page: This parameter has been deprecated since Samba 4.11 and support for LanMan (as distinct from NTLM, NTLMv2 or Kerberos authentication) will be removed in a future Samba release. Removing the LM password hashes gets a hearty thumbs-up from me :-). But I may be miss-reading the original message. Sorry if I'm just adding to the confusion :-).
Rowland Penny
2022-Jan-26 17:03 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Wed, 2022-01-26 at 08:55 -0800, Jeremy Allison via samba-technical wrote:> On Wed, Jan 26, 2022 at 12:50:58PM +0100, Bj?rn JACKE via samba > wrote: > > On 2022-01-26 at 16:50 +1300 Andrew Bartlett via samba sent off: > > > My feeling is that for the Win9X and OS/2 irrilplacable > > > industrial > > > equipment case, that guest authentication would suffice, combined > > > with > > > 'force user' and 'hosts allow' for 'security'. > > > > > > What do folks think? > > > > my gut feeling is that many users will be very unhappy with such a > > change. I > > know many setups where the clients say that ntlm auth is still > > required for > > them and where guest auth would not be an option. Even on AD DCs > > sometimes. For > > sure on member servers. > > Correct me if I'm wrong Andrew, but I think Andrew is not > thinking about removing NTLM, but only the storage of > LM password hashes. > > From the "lanman auth" section of the man page: > > This parameter has been deprecated since Samba 4.11 and > support for LanMan (as distinct from NTLM, NTLMv2 or Kerberos > authentication) will be removed in a future Samba release. > > Removing the LM password hashes gets a hearty thumbs-up > from me :-). > > But I may be miss-reading the original message. Sorry > if I'm just adding to the confusion :-).I must be confused as well then, because that is exactly how I read it, just remove the hashes :-) Rowland
Andrew Bartlett
2022-Jan-26 18:00 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Wed, 2022-01-26 at 08:55 -0800, Jeremy Allison via samba wrote:> On Wed, Jan 26, 2022 at 12:50:58PM +0100, Bj?rn JACKE via samba > wrote: > > On 2022-01-26 at 16:50 +1300 Andrew Bartlett via samba sent off: > > > My feeling is that for the Win9X and OS/2 irrilplacable > > > industrial > > > equipment case, that guest authentication would suffice, combined > > > with > > > 'force user' and 'hosts allow' for 'security'. > > > > > > What do folks think? > > > > my gut feeling is that many users will be very unhappy with such a > > change. I > > know many setups where the clients say that ntlm auth is still > > required for > > them and where guest auth would not be an option. Even on AD DCs > > sometimes. For > > sure on member servers. > > Correct me if I'm wrong Andrew, but I think Andrew is not > thinking about removing NTLM, but only the storage of > LM password hashes. > > From the "lanman auth" section of the man page: > > This parameter has been deprecated since Samba 4.11 and > support for LanMan (as distinct from NTLM, NTLMv2 or Kerberos > authentication) will be removed in a future Samba release. > > Removing the LM password hashes gets a hearty thumbs-up > from me :-).That's exactly what I mean.> But I may be miss-reading the original message. Sorry > if I'm just adding to the confusion :-).No, you got my meaning perfectly. Even for Win9X there is, from memory, some strange update to make it do 'raw NTLMv2', instead of LM. I really think we should be able to ditch this, ideally across the codebase but certainly in the AD DC, in 2022. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Björn JACKE
2022-Feb-07 17:06 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On 2022-01-27 at 07:00 +1300 Andrew Bartlett via samba-technical sent off:> No, you got my meaning perfectly. Even for Win9X there is, from > memory, some strange update to make it do 'raw NTLMv2', instead of LM. > > I really think we should be able to ditch this, ideally across the > codebase but certainly in the AD DC, in 2022.okay, with the AD DC I agree, I think we can remove it there. For local SAM's users I would vote to keep LM hashes supported until we ditch SMB1 anyway in the not so far future. There are really still people relying on this. Bj?rn -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: 0551-370000-0, mail: kontakt at sernet.de Gesch.F.: Dr. Johannes Loxen & Reinhild Jung AG G?ttingen: HR-B 2816 - https://samba.plus/