1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
Goal: disable weak authentication methods, both on the client and
server, so that we aren't sending passwords in plaintext across the wire
and also aren't storing weak password hashes on the server
Fixes: LP #163194
Upstream status: pulled from upstream 3.2 git tree, will be superseded
with first release of 3.2
Index: samba-3.0.27a/source/param/loadparm.c
===================================================================
--- samba-3.0.27a.orig/source/param/loadparm.c
+++ samba-3.0.27a/source/param/loadparm.c
@@ -1562,9 +1562,9 @@
Globals.bStatCache = True; /* use stat cache by default */
Globals.iMaxStatCacheSize = 1024; /* one Meg by default. */
Globals.restrict_anonymous = 0;
- Globals.bClientLanManAuth = True; /* Do use the LanMan hash if it is available */
- Globals.bClientPlaintextAuth = True; /* Do use a plaintext password if is requested by the server */
- Globals.bLanmanAuth = True; /* Do use the LanMan hash if it is available */
+ Globals.bClientLanManAuth = False; /* Do NOT use the LanMan hash if it is available */
+ Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
+ Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is available (otherwise NTLMv2) */
Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as we can't tell that the server supports it. */
/* Note, that we will use NTLM2 session security (which is different), if it is available */
Index: samba-3.0.27a/docs/htmldocs/manpages/smb.conf.5.html
===================================================================
--- samba-3.0.27a.orig/docs/htmldocs/manpages/smb.conf.5.html
+++ samba-3.0.27a/docs/htmldocs/manpages/smb.conf.5.html
@@ -780,7 +780,7 @@
without Windows 95/98 servers are advised to disable
this option. </p><p>Disabling this option will also disable the <code class="literal">client plaintext auth</code> option</p><p>Likewise, if the <code class="literal">client ntlmv2
auth</code> parameter is enabled, then only NTLMv2 logins will be
- attempted.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client lanman auth</code></em> = <code class="literal">yes</code>
+ attempted.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client lanman auth</code></em> = <code class="literal">no</code>
</em></span>
</p></dd><dt><span class="term"><a name="CLIENTNTLMV2AUTH"></a>client ntlmv2 auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> will attempt to
authenticate itself to servers using the NTLMv2 encrypted password
@@ -795,7 +795,7 @@
responses, and not the weaker LM or NTLM.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client ntlmv2 auth</code></em> = <code class="literal">no</code>
</em></span>
</p></dd><dt><span class="term"><a name="CLIENTPLAINTEXTAUTH"></a>client plaintext auth (G)</span></dt><dd><p>Specifies whether a client should send a plaintext
- password if the server does not support encrypted passwords.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client plaintext auth</code></em> = <code class="literal">yes</code>
+ password if the server does not support encrypted passwords.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client plaintext auth</code></em> = <code class="literal">no</code>
</em></span>
</p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p>
This controls whether the client offers or even demands the use of the netlogon schannel.
@@ -2007,7 +2007,7 @@
auth</code> to disable this for Samba's clients (such as smbclient)</p><p>If this option, and <code class="literal">ntlm
auth</code> are both disabled, then only NTLMv2 logins will be
permited. Not all clients support NTLMv2, and most will require
- special configuration to use it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lanman auth</code></em> = <code class="literal">yes</code>
+ special configuration to use it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lanman auth</code></em> = <code class="literal">no</code>
</em></span>
</p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not
<a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> supports the new 64k
Index: samba-3.0.27a/docs/manpages/smb.conf.5
===================================================================
--- samba-3.0.27a.orig/docs/manpages/smb.conf.5
+++ samba-3.0.27a/docs/manpages/smb.conf.5
@@ -1272,7 +1272,7 @@
parameter is enabled, then only NTLMv2 logins will be attempted.
.sp
Default:
-\fB\fIclient lanman auth\fR = yes \fR
+\fB\fIclient lanman auth\fR = no \fR
.RE
.PP
client ntlmv2 auth (G)
@@ -1303,7 +1303,7 @@
Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.
.sp
Default:
-\fB\fIclient plaintext auth\fR = yes \fR
+\fB\fIclient plaintext auth\fR = no \fR
.RE
.PP
client schannel (G)
@@ -3082,7 +3082,7 @@
are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to use it.
.sp
Default:
-\fB\fIlanman auth\fR = yes \fR
+\fB\fIlanman auth\fR = no \fR
.RE
.PP
large readwrite (G)
|
