On Wed, 2021-08-18 at 15:08 -0700, Jeremy Allison via samba-technical wrote: > > My 2 cents. Preventing NTLM authentication/signing from working would > be > a negative for the Linux kernel client. I don't mind if that code has > to be isolated inside cifs.ko, but it really needs to keep working, > at least until we have a pluggable client auth in cifs.ko and Samba > that allows the single-server (non AD-Domain) case to keep working > easily. I would echo that, and also just remind folks that MD4 in NTLMSSP is used as a compression only, it has no security value. The security would be the same if the password was compressed with MD4, SHA1 or SHA256 - the security comes from the complexity of the password and the HMAC-MD5 rounds inside NTLMv2. I'll also mention the use of MD4, which is used to re-encrypt a short- term key with the long-term key out of the NTLMv2 scheme. This thankfully is an unchecksumed simple RC4 round of one random value with another, so not subject to known-plaintext attacks here. I know neither MD4 nor HMAC-MD5 is not flavour of the month any more, with good reason, but we would not want to go with way of NFSv4 which is, as I understand it, full Kerberos or bust (so folks choose no protection). Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions