Change to Samba default config in Samba 4.5.0

Matthew Newton mcn4 at
Wed Sep 7 17:57:25 CEST 2016

Just for this lists attention as it may affect some people here.

Note the warning at the top of the latest Samba Release Notes,
copied below. I haven't tested it, but it could potentially affect
people authenticating against Samba as a domain controller (but
probably not winbind to Microsoft AD).

Probably another good hint that MSCHAPv2 is ancient, and something
like EAP-TLS would be more appropriate today... :)



Release Announcements

This is the first stable release of the Samba 4.5 release series.


NTLMv1 authentication disabled by default

In order to improve security we have changed
the default value for the "ntlm auth" option from
"yes" to "no". This may have impact on very old
clients which doesn't support NTLMv2 yet.

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

By default, Samba will only allow NTLMv2 via NTLMSSP now,
as we have the following default "lanman auth = no",
"ntlm auth = no" and "raw NTLMv2 auth = no".


----- End forwarded message -----

Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list