Web lists-archives.com

Re: [Samba] How to disable NTLM authentication on Samba




How would samba forward any requests on to any other service ?       You can have sssd setup on a server if you also need to support things like ssh, sftp, and nfs but that is separate from samba's "Windows" services.

Or do you mean it forwards NTLM requests to a different server ?


Disabling NTLM altogether would be a useful feature if you are trying to minimize the attack surface.






On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
  Forgive me if I have misundertood your words, but what I want is to prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since SSSD does not support it. I am not trying to get SSSD to support any kind of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct?
Putting it in another words: what can I do (preferrably on the Samba server) to prevent windows clients from successfully sending NTLM authentication to my Samba server?    Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> escreveu:
On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
Reinaldo Souza Gomes via samba <samba@xxxxxxxxxxxxxxx> wrote:

How can I make sure that NTLM(SSP) will never be used??

I’ve set up Samba with SSSD and everything Works fine... except for a
few Windows machines which every now and then happen to send NTLM
authentication flags to the Samba server, which happily forwards
them. And then the authentication fails because SSSD doesn’t support
NTLM.

I’ve tried all sorts of parameters combination on smb.conf (including
"ntlm auth = disabled"), but I didn’t find a way to completely refuse
NTLM authentication on the Samba server, and force the client to use
another authentication method (kerberos).
You will have to ask the sssd-users mailing list, you are not using
Samba for authentication.

sssd isn't a Samba product.

Samba by default no longer uses NTLMv1

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba