Web lists-archives.com

Re: [Samba] How to disable NTLM authentication on Samba




On Thu, 11 Oct 2018 17:14:27 -0400
Gaiseric Vandal via samba <samba@xxxxxxxxxxxxxxx> wrote:

> How is your sssd settup (sssd.conf) configured?
> 
> 
> When someone connects via samba, the underlying linux/unix file
> system routines need to have some what of understanding the windows
> users and groups.   This isn't for authentication  but is instead to
> make sure that the file permissions can be managed and enforced.
> 
> My experience - at least when I had classic domain Samba
> controllers- was that the domain controllers did not need winbind
> added to nsswitch.conf but the  member servers did.   If  "getent
> password" was not showing "MYDOMAIN\someuser" then I would likely
> have problems.
> 
> 
> 
> 
> 
> if nsswitch.conf is configured to use sssd, and sssd is configured to 
> retrieve account info from the domain server (either via windows or
> ldap ) then I would think that "getent passwd" should be listing
> users.
> 

The OP asked how to disable NTLM on Samba, this isn't their problem.
Samba is reacting to NTLM requests not originating them, so how can
you stop something on Samba that isn't being started on Samba ?

As the OP is using sssd, it is feasible that one part of sssd is
receiving the clients requests, then passing them to smbd, which
then asks its authentication backend (normally winbind, but, in this
case, another part of sssd), it is here that it fails. 

Two things to consider, sssd isn't a Samba package, so we are not
sssd experts in any way and the problem isn't originating in sssd or
Samba.
The problem starts on the Windows clients, it is here that NTLM
authentication needs to be disabled, not in Samba or sssd.

Can I also point out that this isn't the place to discuss sssd
problems, if you think you have a problem and sssd is being used, then
you should start with the sssd-users mailing list. They are the sssd
experts, they either write the code or use it extensively.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba