Bug 14461 - Samba should not honour LMv2 response by default
Summary: Samba should not honour LMv2 response by default
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.0.rc1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jo Sutton
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-10 09:57 UTC by Andrew Bartlett
Modified: 2021-03-18 22:45 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2020-08-10 09:57:44 UTC
LMv2 is a cut-down version of NTLMv2 that was designed to allow for pass-though of NTLMv2-strength crypto when connecting old servers that expected a LanMan password or would cut the longer NTLMv2 password down.

It creates security issues like  CVE-2019-1338 in Windows and has no place in the modern ecosystem.

Samba has not sent LMv2 responses in NTLMSSP since the BadLock fixes.

This makes it depend on "raw ntlmv2 auth" which also has the same issues.
Comment 1 Andrew Bartlett 2021-03-18 22:45:31 UTC
The WIP branch I have at https://gitlab.com/samba-team/samba/-/merge_requests/1503 needs the knownfail entries updated (or tests tweaked) so it can be merged.