Univention Bugzilla – Bug 46782
UCS still allows NTLMv1, should switch to Samba default "ntlmv2-only"
Last modified: 2019-03-01 21:42:15 CET
The UCS default of "yes" for the smb.conf parameter "ntlm auth" means that NTLMv1 is enabled by default. This is more explicit in the new naming introduced by Samba 4.7.0. Quoting man smb.conf: ======================================================================== The available settings are: · ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all clients. · ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but permit NTLMv2. · mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool). · disabled - Do not accept NTLM (or LanMan) authentication of any level, nor permit NTLM password changes. The default changed from yes to no with Samba 4.5. The default chagned again to ntlmv2-only with Samba 4.7, however the behaviour is unchanged. ======================================================================== I think we should adjust UCS the use the Samba default "ntlmv2-only". We just didn't want to change this in 4.1-4, but the UCS default can be considered a security issue. +++ This bug was initially created as a clone of Bug #42847 +++ See Bug #42624. Samba 4.5 changes the default from 'ntlm auth' from yes to no. We shouldn't change the default with UCS 4.1-4.
a2579401a4 | Adjust default for samba/ntlm/auth ("ntlm auth") to match samba 53f2c1d2a8 | Advisory
OK - ntlmv2-only is default for ntlm auth OK - UCR description OK - yaml
Reopen: Also needed fixing in univention-samba: 2e73fefa7e | Similar patch for univention-samba 553b50d887 | Advisory
OK - univention-samba OK - yaml
<http://errata.software-univention.de/ucs/4.3/166.html> <http://errata.software-univention.de/ucs/4.3/167.html>