Web lists-archives.com

Re: [Samba] How to disable NTLM authentication on Samba




I used to run classic samba.  Since classic samba does not include its own LDAP or Kerberos servers, those were separate components on the server.  No reason to run sssd on any server.     Linux clients used sssd to  authenticate to kerberos.       I migrated to an AD domain but at that point there wasn't any reason to try to bypass sssd-  and sssd does allow for credential caching on linux clients so it is pretty useful.    But at no point is sssd used to provide authentication to Windows clients nor do I run sssd on samba servers.





On 10/10/18 16:19, Rowland Penny via samba wrote:
On Wed, 10 Oct 2018 16:07:24 -0400
Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:

How would samba forward any requests on to any other service ?
You can have sssd setup on a server if you also need to support
things like ssh, sftp, and nfs but that is separate from samba's
"Windows" services.

Or do you mean it forwards NTLM requests to a different server ?


Disabling NTLM altogether would be a useful feature if you are trying
to minimize the attack surface.

smbd used to be able to do authentication, it now passes this to
winbind.

You should not run winbind with sssd because it has its own winbind
lib. So, if you are using sssd, you are not using winbind, so how can
it pass anything to sssd ?

I do not understand why people run sssd with Samba, there is very
little that sssd can do, that winbind cannot.

As I said, if you run sssd and are having problems, ask the sssd-users
mailing list first.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba