Web lists-archives.com

Re: [Samba] "lanman auth" question




How old is the scanner ?   Did you check for a firmware update for it?    NTLM has been around for so long that it is hard to imagine anything that has to have LANMAN support.

On 10/02/17 19:08, ToddAndMargo via samba wrote:
On 10/02/17 17:16, ToddAndMargo via samba wrote:
Hi All,

Server:
   Fedora 26
   samba-4.6.8-0.fc26.x86_64

Workstations (5 of them):
   XP Pro SP3


I set all five of my customer XP workstations to

Send NTLMv2 response only\\refuse LM and NTLM

and turned off (smb.conf)

  lanman auth = yes
  ntlm auth = yes

And had to turn it right back on as the customer's
Xerox Workcentre 3550 multifunction printer scanner
requires it

What are the security ramification to Samba?

Many thanks,
-T
Tony Ewell, B.S.E.E.
Owner, Rent-A-Nerd Computer Services
775-265-5150,  9:00 am to 5:00 pm PST/PDT


Error from the scanner:

Destination 1      : Status....Failed
Status Details     : username or password is wrong
Friendly Name      : WorkCenter
Server Name        : 192.168.255.12
Path               : scans
Protocol           : SMB
Filing Policy      : CHANGENAME
Document Name      : 1

On 10/02/2017 03:49 PM, Gaiseric Vandal via samba wrote:
> lanman should always be disabled.  use "testparm -v" to make sure the
> settings are applied as you expect.  With different samba versions, the
> defaults may change.
>
> I don't think you can disable ntlmv1 but leave ntlmv2 enabled.  I could
> be wrong.          NTLMv2 is stronger.     And I think clients will
> negotiate the strongest common protocol.      If you are in a small
> network where you can see what is getting added, and you are using
> ethernet switches (not ethernet hubs) to minimize packet capture, you
> should be OK.     (unless you are designing the next stealth
> fighter.)     Best practices would dictate NTLMv2 if possible.
>
>
> I would try disabling lanman, leaving ntlm enabled and see if the xerox
> works.

If I disable (as I did), then the scanner won't save to smb.
So, I am stuck with it.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba