Jeremy Allison
2022-Feb-08 05:13 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Tue, Feb 08, 2022 at 06:04:01PM +1300, Andrew Bartlett via samba wrote:>On Mon, 2022-02-07 at 18:38 +0100, Ralph Boehme via samba wrote: >> On 1/26/22 04:50, Andrew Bartlett via samba wrote: >> > What do folks think? >> >> I would vote for removing it and if people still require it to work >> with >> old shit they can just continue using the latest Samba version that >> supports it. > >Thanks!Yes, to be honest I'm more leaning on supporting Ralph now than trying to split hairs :-). If people want LANMAN auth they can just keep running the last version that supports it. It's not like they're worried about security anyway :-) :-).
Patrick Goetz
2022-Feb-08 20:35 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On 2/7/22 23:13, Jeremy Allison via samba wrote:> On Tue, Feb 08, 2022 at 06:04:01PM +1300, Andrew Bartlett via samba wrote: >> On Mon, 2022-02-07 at 18:38 +0100, Ralph Boehme via samba wrote: >>> On 1/26/22 04:50, Andrew Bartlett via samba wrote: >>> > What do folks think? >>> >>> I would vote for removing it and if people still require it to work >>> with >>> old shit they can just continue using the latest Samba version that >>> supports it. >> >> Thanks! > > Yes, to be honest I'm more leaning on supporting Ralph > now than trying to split hairs :-). > > If people want LANMAN auth they can just keep running > the last version that supports it. It's not like they're > worried about security anyway :-) :-). >Or more likely they're running it in a completely isolated (or DMZ gatewayed) environment with equipment that can't be upgraded (e.g. instrumentation control PC's running old versions of Windows which can't be upgraded). That's what we do; there's no good alternative unless your user has, for example, a million dollars to shell out for a new machine with new PCs, and even then. We just got a new 1.5 million dollar microscope and the control PC is running Windows 2012. \o/
Andrew Bartlett
2022-Feb-08 22:14 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Mon, 2022-02-07 at 21:13 -0800, Jeremy Allison via samba-technical wrote:> On Tue, Feb 08, 2022 at 06:04:01PM +1300, Andrew Bartlett via samba > wrote: > > On Mon, 2022-02-07 at 18:38 +0100, Ralph Boehme via samba wrote: > > > On 1/26/22 04:50, Andrew Bartlett via samba wrote: > > > > What do folks think? > > > > > > I would vote for removing it and if people still require it to > > > work > > > with > > > old shit they can just continue using the latest Samba version > > > that > > > supports it. > > > > Thanks! > > Yes, to be honest I'm more leaning on supporting Ralph > now than trying to split hairs :-).Thanks!> If people want LANMAN auth they can just keep running > the last version that supports it. It's not like they're > worried about security anyway :-) :-).One other benefit is that I have often seen this turned on by folks where things broke (particularly when we moved to NTLMv2 only by default) and they just turned everything on, and then left it that way. This change would therefore secure those sites. Bj?rn, after reading the discussion here is your position still that we need to retain LanMan authentication for DOS, OS/2, Win3.11 and Win9X? I would like to take a crack at the patch but it makes more sense to know your position up-front to avoid misdirected effort. Thanks, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions