Bug 11923 - Request to completely disable NTLM
Summary: Request to completely disable NTLM
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-05-19 02:38 UTC by Kelvin Yip
Modified: 2018-08-15 02:01 UTC (History)
3 users (show)

See Also:

test for this bug backported from master (4.46 KB, patch)
2017-07-24 02:18 UTC, Andrew Bartlett
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Kelvin Yip 2016-05-19 02:38:12 UTC
I found that there is no way to completely disable NTLM and NTLM V2 in samba4.

My purpose is to ensure if someone bring their own workstations back to office and they cannot connect to samba4 server using their username and password.

On Windows, there are a Security Settings to do this (Local Policies ->Security Options -> Network Security: Restrict NTLM: Incoming NTLM Traffic)

I have confirm with Jeremy Allison that such configuration is not available at the moment.

So, May I request Samba development team to add such feature in the future ? This is a very important security feature. Please consider.

Comment 1 Stefan Metzmacher 2016-05-19 15:34:32 UTC
This is planed for 4.5 or 4.6 in a similar way to windows
Comment 2 Stefan Metzmacher 2016-05-19 15:37:30 UTC
Completely untested, but "gensec:ntlmssp=no" together with "ntlm auth = no" in the [global] section of smb.conf may already provide something...
Comment 3 Jeremy Allison 2016-05-19 16:00:05 UTC
We might want to imply gensec:ntlmssp=no if ntlm auth = no is set.

I'll investigate !
Comment 4 Stefan Metzmacher 2016-05-19 16:24:11 UTC
(In reply to Jeremy Allison from comment #3)

No, "ntlm auth" just means NTLMv1 is disabled and we'll disable that by default
for 4.5. I've already started with the patches.

We really need "server ntlm blocked", "client ntlm blocked" or "client ntlm whitelist" options and implement them like the options on windows.
Comment 5 Jeremy Allison 2016-05-19 16:28:07 UTC
Well people use "ntlm" as a generic catchall term for both v1 and v2. Maybe we need separate "ntlmv1" and "ntlmv2" patramters with "ntlmv1 = no" by default, and a generic "ntlm = no" disables both.

That seems logical to me, but I'm not wedded to the idea.
Comment 6 Stefan Metzmacher 2016-05-19 18:56:37 UTC
(In reply to Jeremy Allison from comment #5)

"ntlm auth" already exist (with a default of "yes") together with
"lanman auth" (with a default of "no").
Comment 7 Jeremy Allison 2016-05-19 19:05:59 UTC
Oh. That's horribly confusing :-). I don't think Microsoft use "lanman auth" anymore in their docs.
Comment 8 Andrew Bartlett 2017-01-03 08:46:43 UTC
(In reply to Jeremy Allison from comment #7)
I do agree.  I wish I had chosen better names when I was adding them a long time ago.
Comment 9 Andrew Bartlett 2017-06-27 22:22:42 UTC
A useful way forward would be:

ntlm auth = [ yes | no / ntlmv2-only | mschapv2-and-ntlmv2-only | disabled ]

Disabled should kill both the SAMR password change (RC4 based) and the NTLM auth stack.

The alias of no -> ntlmv2-only is unfortunate, but is the best way out of this pickle.
Comment 10 Stefan Metzmacher 2017-07-01 22:45:16 UTC
(In reply to Andrew Bartlett from comment #9)

I think on Windows it's possible to do the restriction per something like
computer/domain only.

See https://technet.microsoft.com/en-us/library/jj865668(v=ws.10).aspx

E.g. for "require strong key = yes" we allow
"require strong key:NETBIOSDOMAIN = no" to overwrite it.

I think we also need to separate between the 3 cases:

- restrict the client side to never use NTLM*

- restrict in the server code (the smb server for non spnego dialects
  and the NTLMSSP server)

- restrict NTLM* in the netlogon server, based on computer name
  and domain name, maybe also user name.

But "ntlm auth = [ yes | no / ntlmv2-only | mschapv2-and-ntlmv2-only | disabled ]" is certainly a got start. I'm just not sure how to do overwrites.

"ntlm auth:domain $DOMAIN = [ yes | no / ntlmv2-only | mschapv2-and-ntlmv2-only | disabled ]"

"ntlm auth:computer $COMPUTER = [ yes | no / ntlmv2-only | mschapv2-and-ntlmv2-only | disabled ]"

"ntlm auth:user $USERDOMAIN\\$USER = [ yes | no / ntlmv2-only | mschapv2-and-ntlmv2-only | disabled ]"
Comment 11 Andrew Bartlett 2017-07-03 04:24:21 UTC
(In reply to Stefan Metzmacher from comment #10)
Honestly, I would prefer to have that be extensions in the directory, not smb.conf values.

We need to read up on the protected groups etc.
Comment 12 Stefan Metzmacher 2017-07-03 06:30:27 UTC
(In reply to Andrew Bartlett from comment #11)

Yes, it would be good to implement it like Windows,
but I fear that there's much more work required for that.
Comment 13 Andrew Bartlett 2017-07-24 02:18:22 UTC
Created attachment 13418 [details]
test for this bug backported from master

The attached patch confirms that we do disable NTLM password changes when ntlm authentication is disabled against this SAM.
Comment 14 Stefan Metzmacher 2017-08-16 06:21:18 UTC
Karolin, please pick this for the next 4.7rc
Comment 15 Karolin Seeger 2017-08-16 06:48:12 UTC
(In reply to Stefan Metzmacher from comment #14)
Pushed to autobuild-v4-7-test.
Comment 16 Karolin Seeger 2017-08-17 08:28:31 UTC
Pushed "test for this bug backported from master" to v4-7-test.
Re-assigning to Andrew.
Comment 17 Andrew Bartlett 2018-08-15 02:01:54 UTC
Closing as fixed in Samba 4.7 and later.  The original issue is resolved, additional possible security features can be implemented when time permits.