Patrick Goetz
2022-Feb-08 20:35 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On 2/7/22 23:13, Jeremy Allison via samba wrote:> On Tue, Feb 08, 2022 at 06:04:01PM +1300, Andrew Bartlett via samba wrote: >> On Mon, 2022-02-07 at 18:38 +0100, Ralph Boehme via samba wrote: >>> On 1/26/22 04:50, Andrew Bartlett via samba wrote: >>> > What do folks think? >>> >>> I would vote for removing it and if people still require it to work >>> with >>> old shit they can just continue using the latest Samba version that >>> supports it. >> >> Thanks! > > Yes, to be honest I'm more leaning on supporting Ralph > now than trying to split hairs :-). > > If people want LANMAN auth they can just keep running > the last version that supports it. It's not like they're > worried about security anyway :-) :-). >Or more likely they're running it in a completely isolated (or DMZ gatewayed) environment with equipment that can't be upgraded (e.g. instrumentation control PC's running old versions of Windows which can't be upgraded). That's what we do; there's no good alternative unless your user has, for example, a million dollars to shell out for a new machine with new PCs, and even then. We just got a new 1.5 million dollar microscope and the control PC is running Windows 2012. \o/
Rowland Penny
2022-Feb-08 20:48 UTC
[Samba] Remove LanMan auth from the AD DC and possibly file server?
On Tue, 2022-02-08 at 14:35 -0600, Patrick Goetz via samba wrote:> > On 2/7/22 23:13, Jeremy Allison via samba wrote: > > On Tue, Feb 08, 2022 at 06:04:01PM +1300, Andrew Bartlett via samba > > wrote: > > > On Mon, 2022-02-07 at 18:38 +0100, Ralph Boehme via samba wrote: > > > > On 1/26/22 04:50, Andrew Bartlett via samba wrote: > > > > > What do folks think? > > > > > > > > I would vote for removing it and if people still require it to > > > > work > > > > with > > > > old shit they can just continue using the latest Samba version > > > > that > > > > supports it. > > > > > > Thanks! > > > > Yes, to be honest I'm more leaning on supporting Ralph > > now than trying to split hairs :-). > > > > If people want LANMAN auth they can just keep running > > the last version that supports it. It's not like they're > > worried about security anyway :-) :-). > > > > Or more likely they're running it in a completely isolated (or DMZ > gatewayed) environment with equipment that can't be upgraded (e.g. > instrumentation control PC's running old versions of Windows which > can't > be upgraded). That's what we do; there's no good alternative unless > your user has, for example, a million dollars to shell out for a new > machine with new PCs, and even then. We just got a new 1.5 million > dollar microscope and the control PC is running Windows 2012. \o/If you are paying 1.5 million dollars for something that contains a PC, then it should have been part of the contract that the OS was the latest version. Rowland