Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
- Subject: Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
- From: Allan Marcus <email@hidden>
- Date: Mon, 30 Mar 2009 11:42:23 -0600
Actually, I meant smb.conf
The option I specified:
client ntlmv2 auth (G)
This parameter determines whether or not smbclient(8)
will attempt to authenticate itself to servers using the
NTLMv2 encrypted password response.
If enabled, only an NTLMv2 and LMv2 response (both much
more secure than earlier versions) will be sent. Many
servers (including NT4 < SP4, Win9x and Samba 2.2) are not
compatible with NTLMv2.
Similarly, if enabled, NTLMv1, client lanman auth and
client plaintext auth authentication will be disabled. This
also disables share-level authentication.
If disabled, an NTLM response (and possibly a LANMAN
response) will be sent by the client, depending on the value of
client lanman auth.
Note that some sites (particularly those following 'best
practice' security polices) only allow NTLMv2 responses,
and not the weaker LM or NTLM.
Default: client ntlmv2 auth = no
I'm not sure, but I think the smb.conf file is used when the Mac is a
client and the nsmb.conf file is used when the Mac is a server. Seems
to me both options should be set. I didn't think about the server
option.
When the Mac is a client, SMB Signing is controlled by the "client
signing" directive in the smb.conf file. I don't know about when the
Mac is a server.
---
Thanks,
Allan Marcus
505-667-5666
On Mar 26, 2009, at 10:53 AM, Paul Nelson wrote:
I think what you meant to refer users to is
man nsmb.conf
This seems to support what people need when the settings are put in
/etc/nsmb.conf:
[default]
minauth=ntlmv2
I did a few tests and this setting works properly, not sending
anything
weaker than ntlmv2 even if a user sets up their own nsmb.conf file in
~/Library/Preferences
I don't see anything pertaining to smb signing policy here though.
Paul Nelson
Thursby Software Systems Inc.
From: Allan Marcus <email@hidden>
Date: Wed, 25 Mar 2009 14:48:45 -0600
To: Apple Fed Talk <email@hidden>
Subject: Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will
the next
release of OS/X support NTLMV2?
edit /etc/smb.conf
client ntlmv2 auth = yes
man smb.conf
and search for "client ntlmv2 auth"
---
Thanks,
Allan Marcus
505-667-5666
On Mar 25, 2009, at 8:24 AM, Paul Nelson wrote:
One point you need to be aware of, and ask Apple about:
Can you configure your Mac to ONLY use NTLMv2/Kerberos?
Furthermore, can
you prevent a user from changing that configuration?
The same goes for the old LanMan hash or even clear text passwords.
Paul Nelson
Thursby Software Systems, Inc.
From: "Miller, Timothy J." <email@hidden>
Date: Wed, 25 Mar 2009 09:15:46 -0400
To: "'Jacob, Raymond A Jr'" <email@hidden>, Apple Fed
Talk
<email@hidden>
Subject: RE: [Fed-Talk] Does Leopard support NTLMv2? or Rather will
the next
release of OS/X support NTLMV2?
Believe me, you don't want support for *any* NTLM protocols. The
NT hash is
the equivalent of the password; in other words, if I have your NT
hash I
don't need to know what the password is.
http://oss.coresecurity.com/projects/pshtoolkit.htm
-- Tim
-----Original Message-----
From: fed-talk-bounces+tmiller=email@hidden
[mailto:fed-
talk-bounces+tmiller=email@hidden] On Behalf Of
Jacob,
Raymond A Jr
Sent: Tuesday, March 24, 2009 3:15 PM
To: email@hidden
Subject: [Fed-Talk] Does Leopard support NTLMv2? or Rather will
the next
release of OS/X support NTLMV2?
I found a discussion about this topic on the list.
However, the thread occurred a few years ago.
Googling for this topic, I that there was a mention
that Thursby might support NTLMv2.
Question:
Does Leopard support NTLMv2?
Or, Rather will the next release of OS/X support NTLMV2?
r/Raymond
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
@mitre.org
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
@thursby.com
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden