Bug 11923 - Request to completely disable NTLM
Request to completely disable NTLM
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-05-19 02:38 UTC by Kelvin Yip
Modified: 2017-06-28 09:54 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Kelvin Yip 2016-05-19 02:38:12 UTC
I found that there is no way to completely disable NTLM and NTLM V2 in samba4.

My purpose is to ensure if someone bring their own workstations back to office and they cannot connect to samba4 server using their username and password.

On Windows, there are a Security Settings to do this (Local Policies ->Security Options -> Network Security: Restrict NTLM: Incoming NTLM Traffic)

I have confirm with Jeremy Allison that such configuration is not available at the moment.

So, May I request Samba development team to add such feature in the future ? This is a very important security feature. Please consider.

Comment 1 Stefan Metzmacher 2016-05-19 15:34:32 UTC
This is planed for 4.5 or 4.6 in a similar way to windows
Comment 2 Stefan Metzmacher 2016-05-19 15:37:30 UTC
Completely untested, but "gensec:ntlmssp=no" together with "ntlm auth = no" in the [global] section of smb.conf may already provide something...
Comment 3 Jeremy Allison 2016-05-19 16:00:05 UTC
We might want to imply gensec:ntlmssp=no if ntlm auth = no is set.

I'll investigate !
Comment 4 Stefan Metzmacher 2016-05-19 16:24:11 UTC
(In reply to Jeremy Allison from comment #3)

No, "ntlm auth" just means NTLMv1 is disabled and we'll disable that by default
for 4.5. I've already started with the patches.

We really need "server ntlm blocked", "client ntlm blocked" or "client ntlm whitelist" options and implement them like the options on windows.
Comment 5 Jeremy Allison 2016-05-19 16:28:07 UTC
Well people use "ntlm" as a generic catchall term for both v1 and v2. Maybe we need separate "ntlmv1" and "ntlmv2" patramters with "ntlmv1 = no" by default, and a generic "ntlm = no" disables both.

That seems logical to me, but I'm not wedded to the idea.
Comment 6 Stefan Metzmacher 2016-05-19 18:56:37 UTC
(In reply to Jeremy Allison from comment #5)

"ntlm auth" already exist (with a default of "yes") together with
"lanman auth" (with a default of "no").
Comment 7 Jeremy Allison 2016-05-19 19:05:59 UTC
Oh. That's horribly confusing :-). I don't think Microsoft use "lanman auth" anymore in their docs.
Comment 8 Andrew Bartlett 2017-01-03 08:46:43 UTC
(In reply to Jeremy Allison from comment #7)
I do agree.  I wish I had chosen better names when I was adding them a long time ago.
Comment 9 Andrew Bartlett 2017-06-27 22:22:42 UTC
A useful way forward would be:

ntlm auth = [ yes | no / ntlmv2-only | mschapv2-and-ntlmv2-only | disabled ]

Disabled should kill both the SAMR password change (RC4 based) and the NTLM auth stack.

The alias of no -> ntlmv2-only is unfortunate, but is the best way out of this pickle.