Björn JACKE
2022-Feb-07 17:06 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On 2022-01-27 at 07:00 +1300 Andrew Bartlett via samba-technical sent off:> No, you got my meaning perfectly. Even for Win9X there is, from > memory, some strange update to make it do 'raw NTLMv2', instead of LM. > > I really think we should be able to ditch this, ideally across the > codebase but certainly in the AD DC, in 2022.okay, with the AD DC I agree, I think we can remove it there. For local SAM's users I would vote to keep LM hashes supported until we ditch SMB1 anyway in the not so far future. There are really still people relying on this. Bj?rn -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: 0551-370000-0, mail: kontakt at sernet.de Gesch.F.: Dr. Johannes Loxen & Reinhild Jung AG G?ttingen: HR-B 2816 - https://samba.plus/
Jeremy Allison
2022-Feb-07 17:17 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Mon, Feb 07, 2022 at 06:06:34PM +0100, Bj?rn JACKE wrote:>On 2022-01-27 at 07:00 +1300 Andrew Bartlett via samba-technical sent off: >> No, you got my meaning perfectly. Even for Win9X there is, from >> memory, some strange update to make it do 'raw NTLMv2', instead of LM. >> >> I really think we should be able to ditch this, ideally across the >> codebase but certainly in the AD DC, in 2022. > >okay, with the AD DC I agree, I think we can remove it there. > >For local SAM's users I would vote to keep LM hashes supported until we ditch >SMB1 anyway in the not so far future. There are really still people relying on >this.Only if this is easy to do in refactoring. If it's going to be hard to keep them, I vote to remove them and ask such users to go to guest authentication. At this point there's no difference in security between LM hashes and guest authentication.