The Samba-Bugzilla – Bug 11923
Request to completely disable NTLM
Last modified: 2017-06-28 09:54:13 UTC
I found that there is no way to completely disable NTLM and NTLM V2 in samba4.
My purpose is to ensure if someone bring their own workstations back to office and they cannot connect to samba4 server using their username and password.
On Windows, there are a Security Settings to do this (Local Policies ->Security Options -> Network Security: Restrict NTLM: Incoming NTLM Traffic)
I have confirm with Jeremy Allison that such configuration is not available at the moment.
So, May I request Samba development team to add such feature in the future ? This is a very important security feature. Please consider.
This is planed for 4.5 or 4.6 in a similar way to windows
Completely untested, but "gensec:ntlmssp=no" together with "ntlm auth = no" in the [global] section of smb.conf may already provide something...
We might want to imply gensec:ntlmssp=no if ntlm auth = no is set.
I'll investigate !
(In reply to Jeremy Allison from comment #3)
No, "ntlm auth" just means NTLMv1 is disabled and we'll disable that by default
for 4.5. I've already started with the patches.
We really need "server ntlm blocked", "client ntlm blocked" or "client ntlm whitelist" options and implement them like the options on windows.
Well people use "ntlm" as a generic catchall term for both v1 and v2. Maybe we need separate "ntlmv1" and "ntlmv2" patramters with "ntlmv1 = no" by default, and a generic "ntlm = no" disables both.
That seems logical to me, but I'm not wedded to the idea.
(In reply to Jeremy Allison from comment #5)
"ntlm auth" already exist (with a default of "yes") together with
"lanman auth" (with a default of "no").
Oh. That's horribly confusing :-). I don't think Microsoft use "lanman auth" anymore in their docs.
(In reply to Jeremy Allison from comment #7)
I do agree. I wish I had chosen better names when I was adding them a long time ago.
A useful way forward would be:
ntlm auth = [ yes | no / ntlmv2-only | mschapv2-and-ntlmv2-only | disabled ]
Disabled should kill both the SAMR password change (RC4 based) and the NTLM auth stack.
The alias of no -> ntlmv2-only is unfortunate, but is the best way out of this pickle.