"lanman auth" question

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

"lanman auth" question

Samba - General mailing list
Hi All,

Server:
    Fedora 26
    samba-4.6.8-0.fc26.x86_64

Workstations (5 of them):
    XP Pro SP3


I set all five of my customer XP workstations to

Send NTLMv2 response only\\refuse LM and NTLM

and turned off (smb.conf)

   lanman auth = yes
   ntlm auth = yes

And had to turn it right back on as the customer's
Xerox Workcentre 3550 multifunction printer scanner
requires it

What are the security ramification to Samba?

Many thanks,
-T
Tony Ewell, B.S.E.E.
Owner, Rent-A-Nerd Computer Services
775-265-5150,  9:00 am to 5:00 pm PST/PDT


Error from the scanner:

Destination 1      : Status....Failed
Status Details     : username or password is wrong
Friendly Name      : WorkCenter
Server Name        : 192.168.255.12
Path               : scans
Protocol           : SMB
Filing Policy      : CHANGENAME
Document Name      : 1





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: "lanman auth" question

Samba - General mailing list
lanman should always be disabled.  use "testparm -v" to make sure the
settings are applied as you expect.  With different samba versions, the
defaults may change.

I don't think you can disable ntlmv1 but leave ntlmv2 enabled.  I could
be wrong.          NTLMv2 is stronger.     And I think clients will
negotiate the strongest common protocol.      If you are in a small
network where you can see what is getting added, and you are using
ethernet switches (not ethernet hubs) to minimize packet capture, you
should be OK.     (unless you are designing the next stealth
fighter.)     Best practices would dictate NTLMv2 if possible.


I would try disabling lanman, leaving ntlm enabled and see if the xerox
works.


On 10/02/17 17:16, ToddAndMargo via samba wrote:

> Hi All,
>
> Server:
>    Fedora 26
>    samba-4.6.8-0.fc26.x86_64
>
> Workstations (5 of them):
>    XP Pro SP3
>
>
> I set all five of my customer XP workstations to
>
> Send NTLMv2 response only\\refuse LM and NTLM
>
> and turned off (smb.conf)
>
>   lanman auth = yes
>   ntlm auth = yes
>
> And had to turn it right back on as the customer's
> Xerox Workcentre 3550 multifunction printer scanner
> requires it
>
> What are the security ramification to Samba?
>
> Many thanks,
> -T
> Tony Ewell, B.S.E.E.
> Owner, Rent-A-Nerd Computer Services
> 775-265-5150,  9:00 am to 5:00 pm PST/PDT
>
>
> Error from the scanner:
>
> Destination 1      : Status....Failed
> Status Details     : username or password is wrong
> Friendly Name      : WorkCenter
> Server Name        : 192.168.255.12
> Path               : scans
> Protocol           : SMB
> Filing Policy      : CHANGENAME
> Document Name      : 1
>
>
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: "lanman auth" question

Samba - General mailing list
> On 10/02/17 17:16, ToddAndMargo via samba wrote:
>> Hi All,
>>
>> Server:
>>    Fedora 26
>>    samba-4.6.8-0.fc26.x86_64
>>
>> Workstations (5 of them):
>>    XP Pro SP3
>>
>>
>> I set all five of my customer XP workstations to
>>
>> Send NTLMv2 response only\\refuse LM and NTLM
>>
>> and turned off (smb.conf)
>>
>>   lanman auth = yes
>>   ntlm auth = yes
>>
>> And had to turn it right back on as the customer's
>> Xerox Workcentre 3550 multifunction printer scanner
>> requires it
>>
>> What are the security ramification to Samba?
>>
>> Many thanks,
>> -T
>> Tony Ewell, B.S.E.E.
>> Owner, Rent-A-Nerd Computer Services
>> 775-265-5150,  9:00 am to 5:00 pm PST/PDT
>>
>>
>> Error from the scanner:
>>
>> Destination 1      : Status....Failed
>> Status Details     : username or password is wrong
>> Friendly Name      : WorkCenter
>> Server Name        : 192.168.255.12
>> Path               : scans
>> Protocol           : SMB
>> Filing Policy      : CHANGENAME
>> Document Name      : 1

On 10/02/2017 03:49 PM, Gaiseric Vandal via samba wrote:
 > lanman should always be disabled.  use "testparm -v" to make sure the
 > settings are applied as you expect.  With different samba versions, the
 > defaults may change.
 >
 > I don't think you can disable ntlmv1 but leave ntlmv2 enabled.  I could
 > be wrong.          NTLMv2 is stronger.     And I think clients will
 > negotiate the strongest common protocol.      If you are in a small
 > network where you can see what is getting added, and you are using
 > ethernet switches (not ethernet hubs) to minimize packet capture, you
 > should be OK.     (unless you are designing the next stealth
 > fighter.)     Best practices would dictate NTLMv2 if possible.
 >
 >
 > I would try disabling lanman, leaving ntlm enabled and see if the xerox
 > works.

If I disable (as I did), then the scanner won't save to smb.
So, I am stuck with it.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: "lanman auth" question

Samba - General mailing list
How old is the scanner ?   Did you check for a firmware update for
it?    NTLM has been around for so long that it is hard to imagine
anything that has to have LANMAN support.

On 10/02/17 19:08, ToddAndMargo via samba wrote:

>> On 10/02/17 17:16, ToddAndMargo via samba wrote:
>>> Hi All,
>>>
>>> Server:
>>>    Fedora 26
>>>    samba-4.6.8-0.fc26.x86_64
>>>
>>> Workstations (5 of them):
>>>    XP Pro SP3
>>>
>>>
>>> I set all five of my customer XP workstations to
>>>
>>> Send NTLMv2 response only\\refuse LM and NTLM
>>>
>>> and turned off (smb.conf)
>>>
>>>   lanman auth = yes
>>>   ntlm auth = yes
>>>
>>> And had to turn it right back on as the customer's
>>> Xerox Workcentre 3550 multifunction printer scanner
>>> requires it
>>>
>>> What are the security ramification to Samba?
>>>
>>> Many thanks,
>>> -T
>>> Tony Ewell, B.S.E.E.
>>> Owner, Rent-A-Nerd Computer Services
>>> 775-265-5150,  9:00 am to 5:00 pm PST/PDT
>>>
>>>
>>> Error from the scanner:
>>>
>>> Destination 1      : Status....Failed
>>> Status Details     : username or password is wrong
>>> Friendly Name      : WorkCenter
>>> Server Name        : 192.168.255.12
>>> Path               : scans
>>> Protocol           : SMB
>>> Filing Policy      : CHANGENAME
>>> Document Name      : 1
>
> On 10/02/2017 03:49 PM, Gaiseric Vandal via samba wrote:
> > lanman should always be disabled.  use "testparm -v" to make sure the
> > settings are applied as you expect.  With different samba versions, the
> > defaults may change.
> >
> > I don't think you can disable ntlmv1 but leave ntlmv2 enabled.  I could
> > be wrong.          NTLMv2 is stronger.     And I think clients will
> > negotiate the strongest common protocol.      If you are in a small
> > network where you can see what is getting added, and you are using
> > ethernet switches (not ethernet hubs) to minimize packet capture, you
> > should be OK.     (unless you are designing the next stealth
> > fighter.)     Best practices would dictate NTLMv2 if possible.
> >
> >
> > I would try disabling lanman, leaving ntlm enabled and see if the xerox
> > works.
>
> If I disable (as I did), then the scanner won't save to smb.
> So, I am stuck with it.
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: "lanman auth" question

Samba - General mailing list
On 10/03/2017 05:57 AM, Gaiseric Vandal via samba wrote:
> How old is the scanner ?   Did you check for a firmware update for
> it?    NTLM has been around for so long that it is hard to imagine
> anything that has to have LANMAN support.

I called Xerox tech support and their answer was it
was out of support.  It is probably seven years old.
It was an expensive scanner, not one of those new
fangled fall apart in two years scanners.  It is working
very well still.

I can not see the scanner catching WannaCry.  My main
concern was the ramifications to Samba of leaving
Lanman activated.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: "lanman auth" question

Samba - General mailing list
On Tue, 2017-10-03 at 11:26 -0700, ToddAndMargo via samba wrote:

> On 10/03/2017 05:57 AM, Gaiseric Vandal via samba wrote:
> > How old is the scanner ?   Did you check for a firmware update for
> > it?    NTLM has been around for so long that it is hard to imagine
> > anything that has to have LANMAN support.
>
> I called Xerox tech support and their answer was it
> was out of support.  It is probably seven years old.
> It was an expensive scanner, not one of those new
> fangled fall apart in two years scanners.  It is working
> very well still.
>
> I can not see the scanner catching WannaCry.  My main
> concern was the ramifications to Samba of leaving
> Lanman activated.

I'm pretty sure it won't be using Lanman authentication.  It will be
using NTLM or NTLMv2.  

The weakness of allowing lanaman auth is that the passwords are easily
broken (trivially with some CPU) due to being upper-cased and
restricted to 14 chars, of which each 7 can be broken independently.
NTLM is not much more, 100 USD and 24 hours of cloud time was quoted to
me two years ago in a kiwicon presentation.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba