Web lists-archives.com

Re: [Samba] How to disable NTLM authentication on Samba

 Whenever a client uses kerberos as authentication, it succeeds.
Whenever a client uses NTLM as authentication, it fails (logs bellow) since SSSD can't support NTLM. Thus my question: what can I do to prevent NTLM from being used??
[2018/10/09 17:49:29.507046,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)  check_ntlm_password:  Authentication for user [MYUSER] -> [MYUSER] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1[2018/10/09 17:49:29.507074,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)  Auth: [SMB2,(null)] user [MYDOMAIN]\[MYUSER] at [Tue, 09 Oct 2018 17:49:29.507062 -03] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [MACHINENAME] remote host [ipv4:] mapped to [MYDOMAIN]\[MYUSER]. local host [ipv4:]  
    Em quarta-feira, 10 de outubro de 2018 17:09:54 BRT, Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx> escreveu:  
 How would samba forward any requests on to any other service ?       You 
can have sssd setup on a server if you also need to support things like 
ssh, sftp, and nfs but that is separate from samba's "Windows" services.

Or do you mean it forwards NTLM requests to a different server ?

Disabling NTLM altogether would be a useful feature if you are trying to 
minimize the attack surface.

On 10/10/18 15:52, Reinaldo Souza Gomes via samba wrote:
>  Forgive me if I have misundertood your words, but what I want is to prevent Samba from accepting NTLM(v1, v2, SSP, or whatever) and forwarding it, since SSSD does not support it. I am not trying to get SSSD to support any kind of NTLM. So, this would be a Samba issue, not SSSD's. Isn't that correct?
> Putting it in another words: what can I do (preferrably on the Samba server) to prevent windows clients from successfully sending NTLM authentication to my Samba server?    Em quarta-feira, 10 de outubro de 2018 16:29:28 BRT, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> escreveu:
>  On Wed, 10 Oct 2018 18:50:23 +0000 (UTC)
> Reinaldo Souza Gomes via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> How can I make sure that NTLM(SSP) will never be used??
>> I’ve set up Samba with SSSD and everything Works fine... except for a
>> few Windows machines which every now and then happen to send NTLM
>> authentication flags to the Samba server, which happily forwards
>> them. And then the authentication fails because SSSD doesn’t support
>> NTLM.
>> I’ve tried all sorts of parameters combination on smb.conf (including
>> "ntlm auth = disabled"), but I didn’t find a way to completely refuse
>> NTLM authentication on the Samba server, and force the client to use
>> another authentication method (kerberos).
> You will have to ask the sssd-users mailing list, you are not using
> Samba for authentication.
> sssd isn't a Samba product.
> Samba by default no longer uses NTLMv1
> Rowland

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba