Do not accept LMv2 authentication by default
LMv2 is a cut-down version of NTLMv2 that was designed to allow for pass-though of NTLMv2-strength crypto when connecting old servers that expected a LanMan password or would cut the longer NTLMv2 password down.
It creates security issues like CVE-2019-1338 in Windows and has no place in the modern ecosystem.
Samba has not sent LMv2 responses in NTLMSSP since the BadLock fixes.
This makes it depend on "raw ntlmv2 auth" which also has the same issues.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14461
Checklist
-
Commits have Signed-off-by:
with name/author being identical to the commit author -
(optional) This MR is just one part towards a larger feature. -
(optional, if backport required) Bugzilla bug filed and BUG:
tag added -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated -
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)
Reviewer's checklist:
-
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
-
This feature/change has adequate documentation added -
No obvious mistakes in the code
Edited by Andrew Bartlett